Lucene search

K
ibmIBM2685C67792A944C5EA20F8088BC8F9FCF5A3D1AEB731FDF7D1B21072FC55A8BF
HistoryNov 21, 2023 - 1:24 p.m.

Security Bulletin: There is a vulnerability in jetty-http-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049)

2023-11-2113:24:41
www.ibm.com
10
vulnerability information
ibm maximo application suite
ibm maximo manage
cve-2023-26049
jetty http
remote attacker
sensitive information
nonstandard cookie parsing
attack mitigation
upgrade available

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

40.9%

Summary

There is a vulnerability in jetty-http-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049)

Vulnerability Details

CVEID:CVE-2023-26049
**DESCRIPTION:**Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the cookie parsing mechanism, an attacker could exploit this vulnerability to obtain values from other cookies, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253355 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Maximo Application Suite - Manage Component

MAS 8.10.0 - Manage 8.6.0

Remediation/Fixes

For IBM Maximo Manage application in IBM Maximo Application Suite:

MAS Manage Patch Fix or Release
Upgrade to MAS 8.10.X

Upgrade to Manage 8.6.4 or latest (available from the Catalog under Update Available)

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmmaximo_application_suiteMatch8.10
CPENameOperatorVersion
ibm maximo application suiteeq8.10

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.3

Confidence

Low

EPSS

0.001

Percentile

40.9%