Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to multiple issues due to VMware Tanzu Spring

Summary

There are vulnerabilities in VMware Tanzu Spring Security and Framework used by Integrated Web Services in IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2024-22257
**DESCRIPTION:**VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter. By sending a direct request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285898 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVEID:CVE-2024-22262
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287586 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading …

Workarounds and Mitigations

None