Lucene search

IBM59E1A47A20571A6625154C14FE65B1F0904FF5FAC7C8C58FF2275A8D29AB2B4C

HistoryMar 29, 2024 - 10:45 a.m.

Security Bulletin: Vulnerability in Enterprise Security API for Java affects IBM Process Mining WS-2023-0429

2024-03-2910:45:28

www.ibm.com

enterprise security api

java

ibm process mining

vulnerability

remote attacker

authentication

security fixes

cross-site scripting

ibm x-force id

cvss base score

cvss temporal score

affected products

remediation

upgrading

installation

openshift

passportadvantage

7.3 High

AI Score

Confidence

High

JSON

Summary

There is a vulnerability in Enterprise Security API for Java that could allow an remote attacker to steal cookie-based authentication credentials on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

**IBM X-Force ID:**273485
**DESCRIPTION:**Enterprise Security API for Java is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Validator.isValidSafeHTML method. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273485 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Process Mining

1.12.0.5, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.2 IF001, 1.14.3, 1.14.3 IF001

Remediation/Fixes

Any open source library may be included in one or more sub-components of IBM Process Mining. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Process Mining on RedHat OpenShift

1.12.0.5, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.2 IF001, 1.14.3, 1.14.3 IF001

| **Install/Upgrade to version 1.14.4

Installing a Production deployment
1.**To deploy a Production deployment, see installing on
RedHat OpenShift Container Platform environments

**Upgrading an Installation **** **1.To perform an upgrade of a Production deployment, see
upgrading in RedHat OpenShift Container Platform
environments
IBM Process Mining traditional|

1.12.0.5, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3

| **Install/Upgrade to version 1.14.4

** 1.Login to PassPortAdvantage
2.Search for
M0HJMML Process Mining 1.14.4 Server Multiplatform
Multilingual
3.Download package
4.Follow install instructions
5.Repeat for M0HJNML Process Mining 1.14.4 Client
Windows Multilingual

Workarounds and Mitigations

None known

Affected configurations

Vulners

Node

ibmrobotic_process_automation_as_a_serviceMatch1.12.0.5

ibmrobotic_process_automation_as_a_serviceMatch1.13.0

ibmrobotic_process_automation_as_a_serviceMatch1.13.1

ibmrobotic_process_automation_as_a_serviceMatch1.13.2

ibmrobotic_process_automation_as_a_serviceMatch1.14.0

ibmrobotic_process_automation_as_a_serviceMatch1.14.1

ibmrobotic_process_automation_as_a_serviceMatch1.14.2

ibmrobotic_process_automation_as_a_serviceMatch001

ibmrobotic_process_automation_as_a_serviceMatch1.14.3