Security Bulletin: IBM Cloud Pak for Security is vulnerable to CVE-2021-20538 and CVE-2021-20577

Summary

IBM Cloud Pak for Security versions 1.5.0.1 and earlier is vulnerable to the following CVEs: CVE-2021-20538, meaning that sensitive information can be obtained by the user without sufficient authorisation. CVE-2021-20577, allowing cross side scripting that can potentially lead to credentials disclosure. These are addressed in CP4S 1.6.0.0 and later versions

Vulnerability Details

CVEID:CVE-2021-20538
**DESCRIPTION:**IBM Cloud Pak for Security (CP4S) could allow a user to obtain sensitive information or perform actions they should not have access to due to incorrect authorization mechanisms.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198919 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-20577
**DESCRIPTION:**IBM Cloud Pak for Security (CP4S) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199281 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Upgrade to Cloud Pak for Security v 1.6.0.0 or higher following instructions <https://www.ibm.com/docs/en/cloud-paks/cp-security/1.6.0?topic=security-upgrading-cloud-pak-150x&gt;

Workarounds and Mitigations

None