Lucene search

K
ibmIBM27C85EE5FE538348388AF778A0970C59AECB86B7908124CB1FF9D8BDD60691D5
HistoryJun 27, 2023 - 11:47 a.m.

Security Bulletin: Vulnerability in Spring Security affects IBM Process Mining . CVE-2023-20862

2023-06-2711:47:45
www.ibm.com
17
spring security
ibm process mining
cve-2023-20862
remote attacker
unauthorized access
fix guidance
version 1.14.0
version 1.13.2

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

29.4%

Summary

There is a vulnerability in Spring Security that could allow a remote attacker to bypass security restrictions and remain authenticated after logout is performed. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-20862
**DESCRIPTION:**VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by the logout support feature does not properly clean the security context if using serialized versions. By sending a specially-crafted request, an attacker could exploit this vulnerability to remain authenticated after logout is performed.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253351 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Process Mining 1.14.0, 1.13.2

Remediation/Fixes

Remediation/Fixes guidance:

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
IBM Process Mining

1.14.0, 1.13.2

|

Upgrade to version 1.14.1

1.Login to PassPortAdvantage

2. Search for
M0D0JML
Process Mining 1.14.1 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M0D0KML Process Mining 1.14.1 Client Windows Multilingual

| |

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None known

Affected configurations

Vulners
Node
ibmcloud_pak_for_automationMatch1.14.0
OR
ibmcloud_pak_for_automationMatch1.13.2
VendorProductVersionCPE
ibmcloud_pak_for_automation1.14.0cpe:2.3:a:ibm:cloud_pak_for_automation:1.14.0:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.13.2cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.2:*:*:*:*:*:*:*

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

29.4%

Related for 27C85EE5FE538348388AF778A0970C59AECB86B7908124CB1FF9D8BDD60691D5