Lucene search

IBM3B748CD16EC1C0979028FE1C4FAE683B3188B9B04E467DFDE1100323ABAD5DAE

HistoryJun 28, 2024 - 12:43 p.m.

Security Bulletin: A vulnerability in urllib3 affects Data Replication on Cloud Pak for Data

2024-06-2812:43:29

www.ibm.com

python urllib3

crlf injection

data replication

cloud pak

cve-2019-11236

cross-site scripting

cache poisoning

session hijacking

cvss

ibm

fix pack.

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.6

Confidence

High

JSON

Summary

A vulnerability in the urllib3 package has been addressed.

Vulnerability Details

CVEID:CVE-2019-11236
**DESCRIPTION:**Python urllib3 is vulnerable to CRLF injection, caused by improper validation of user-supplied input by the request parameter. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159527 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
Data Replication on Cloud Pak for Data	All before 4.8.0

Remediation/Fixes

Update to the latest product fix pack found here: <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=new-data-replication>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_dataMatch4.6.4

ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_dataMatch4.6.5

ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_dataMatch4.7.0

ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_dataMatch4.7.1

ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_dataMatch4.7.2

VendorProductVersionCPE
ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_data4.6.4cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.6.4:*:*:*:*:*:*:*
ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_data4.6.5cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.6.5:*:*:*:*:*:*:*
ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_data4.7.0cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.7.0:*:*:*:*:*:*:*
ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_data4.7.1cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.7.1:*:*:*:*:*:*:*
ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_data4.7.2cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.7.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cognos_analytics_cartridge_for_ibm_cloud_pak_for_data	4.6.4	cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.6.4:::::::*
ibm	cognos_analytics_cartridge_for_ibm_cloud_pak_for_data	4.6.5	cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.6.5:::::::*
ibm	cognos_analytics_cartridge_for_ibm_cloud_pak_for_data	4.7.0	cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.7.0:::::::*
ibm	cognos_analytics_cartridge_for_ibm_cloud_pak_for_data	4.7.1	cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.7.1:::::::*
ibm	cognos_analytics_cartridge_for_ibm_cloud_pak_for_data	4.7.2	cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:4.7.2:::::::*