Security Bulletin: IBM Robotic Process Automation is vulnerable to disclosure of server version information (CVE-2023-35900)

2023-07-1022:15:36

www.ibm.com

ibm robotic process automation

cloud pak

disclosure vulnerability

software vulnerabilities

rpa fix

ibm security advisory

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

26.6%

JSON

Summary

IBM Robotic Process Automation is vulnerable to disclosure of server version information which may be used to determine software vulnerabilities at the operating system level. (CVE-2023-35900)

Vulnerability Details

CVEID:CVE-2023-35900
**DESCRIPTION:**IBM Robotic Process Automation for Cloud Pak is vulnerable to disclosing server version information which may be used to determine software vulnerabilities at the operating system level.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259368 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Robotic Process Automation	<= 21.0.7.4, 23.0.0 - 23.0.5
IBM Robotic Process Automation for Cloud Pak	<= 21.0.7.4, 23.0.0 - 23.0.5
IBM Robotic Process Automation as a Service	<= 21.0.7.4, 23.0.0 - 23.0.5

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Robotic Process Automation	21.0.0 - 21.0.7.4	Download 21.0.7.5 or higher, and follow instructions.
IBM Robotic Process Automation	23.0.0 - 23.0.5	Download 23.0.6 or higher, and follow instructions.
IBM Robotic Process Automation for Cloud Pak	21.0.0 - 21.0.7.4	Update to 21.0.7.5 or higher using the following instructions.
IBM Robotic Process Automation for Cloud Pak	23.0.0 - 23.0.5	Update to 23.0.6 or higher using the following instructions.
IBM Robotic Process Automation as a Service	<= 23.0.5	No action required as all IBM Robotic Process Automation Servers have been updated to 23.0.6 or higher

Workarounds and Mitigations

None.

Affected configurations

Vulners

Node

ibmrobotic_process_automationMatch21.0.0

ibmrobotic_process_automationMatch21.0.7.4

ibmrobotic_process_automationMatch23.0.0

ibmrobotic_process_automationMatch23.0.5

VendorProductVersionCPE
ibmrobotic_process_automation21.0.0cpe:2.3:a:ibm:robotic_process_automation:21.0.0:*:*:*:*:*:*:*
ibmrobotic_process_automation21.0.7.4cpe:2.3:a:ibm:robotic_process_automation:21.0.7.4:*:*:*:*:*:*:*
ibmrobotic_process_automation23.0.0cpe:2.3:a:ibm:robotic_process_automation:23.0.0:*:*:*:*:*:*:*
ibmrobotic_process_automation23.0.5cpe:2.3:a:ibm:robotic_process_automation:23.0.5:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	robotic_process_automation	21.0.0	cpe:2.3:a:ibm:robotic_process_automation:21.0.0:::::::*
ibm	robotic_process_automation	21.0.7.4	cpe:2.3:a:ibm:robotic_process_automation:21.0.7.4:::::::*
ibm	robotic_process_automation	23.0.0	cpe:2.3:a:ibm:robotic_process_automation:23.0.0:::::::*
ibm	robotic_process_automation	23.0.5	cpe:2.3:a:ibm:robotic_process_automation:23.0.5:::::::*