Lucene search

IBM4DFF61670A5013D8139D8ECECB63547CC1709B63CB12946321AA7473F7B66406

HistorySep 26, 2022 - 5:45 a.m.

Security Bulletin: IBM Data Studio Web Console is vulnerable to cross-site request forgery, caused by improper validation of browser request headers.

2022-09-2605:45:55

www.ibm.com

ibm data studio

web console

cross-site request forgery

vulnerability

cve-2013-2980

security bulletin

ibm cloud

upgrade

secure engineering.

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.001

Percentile

39.2%

JSON

Abstract

A service in the IBM Data Studio Web Console versions 3.1.0 and 3.1.1 is impacted by cross-site request forgery. By persuading an authenticated user to visit a malicious web site, a remote attacker could exploit this vulnerability to obtain sensitive information.

Content

VULNERABILITY DETAILS CVE ID: CVE-2013-2980

DESCRIPTION:

This is possible only after a user has logged in to the console successfully and also visits a malicious web site. This malicious browser client-side code may be able to trick the user into retrieving sensitive monitored database information (such as health status, job execution failures etc.).

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84113 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

AFFECTED PRODUCTS :

IBM Data Studio Web Console 3.1.0 and 3.1.1 on all supported operating systems.

REMEDIATION:

Fix(es):
Upgrade to IBM Data Studio Web Console 3.2 -http://www.ibm.com/developerworks/downloads/im/data/

Mitigation:
None

Workaround(s):
None

REFERENCES:

· Complete CVSS Guide_ _
· On-line Calculator V2
· X-Force Vulnerability Database (84113)_ _
· CVE-2013-2980

RELATED INFORMATION:

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Program

CHANGE HISTORY:

14 June 2013: Original publication

[{“Product”:{“code”:“SS62YD”,“label”:“IBM Data Studio”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Web Console”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“3.1;3.1.1”,“Edition”:“”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”}}]

Affected configurations

Vulners

Node

ibmdata_studioMatch3.1

ibmdata_studioMatch3.1.1

VendorProductVersionCPE
ibmdata_studio3.1cpe:2.3:a:ibm:data_studio:3.1:*:*:*:*:*:*:*
ibmdata_studio3.1.1cpe:2.3:a:ibm:data_studio:3.1.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	data_studio	3.1	cpe:2.3:a:ibm:data_studio:3.1:::::::*
ibm	data_studio	3.1.1	cpe:2.3:a:ibm:data_studio:3.1.1:::::::*

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.001

Percentile

39.2%

JSON

Related for 4DFF61670A5013D8139D8ECECB63547CC1709B63CB12946321AA7473F7B66406