Security Bulletin: Vulnerability in urllib3 might affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2023-43804, CVE-2023-45803)

Summary

Vulnerabilities in urllib3 might affect IBM Spectrum Sentinel Anomaly Scan Engine. Vulnerabilities include allowing remote attacker to obtain sensitive information to launch further attacks against the affected system.

Vulnerability Details

CVEID:CVE-2023-43804
**DESCRIPTION:**urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with cookie request header not stripped during cross-origin redirects. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268192 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2023-45803
**DESCRIPTION:**urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with not remove the HTTP request body when an HTTP redirect response using status 303. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269079 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM Spectrum Sentinel Anomaly Scan Engine

|

Fixing Level

|

Platform

|

Link to Fix and Instructions

—|—|—|—

1.1.0-1.1.5

|

1.1.6

|

Linux

|

<https://www.ibm.com/support/pages/node/7070601&gt;

Please refer to IBM Spectrum Copy Data Management security bulletins for the Spectrum Copy Data Management vulnerabilities.

Workarounds and Mitigations

None