IBM5E33F5A19723F413B4FE1881BCEF9C3356E659550C5A5438537D350F0C1DD9A7Security Bulletin: IBM Edge Application Manager 4.5.3 addresses the security vulnerabilities listed in the CVEs below.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
7.3 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
22.0%
Summary
IBM Edge Application Manager 4.5.3 addresses the security vulnerabilities listed in the CVEs below.
Vulnerability Details
CVEID:CVE-2023-45857
**DESCRIPTION:**Axios is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on, an attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270574 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
CVEID:CVE-2023-26144
**DESCRIPTION:**GraphQL GraphQL.js is vulnerable to a denial of service, caused by insufficient checks in the OverlappingFieldsCanBeMergedRule.ts. By sending specially crafted queries, a remote attacker could exploit this vulnerability to degrade system performance, and results in a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266689 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
**IBM X-Force ID:**266698
**DESCRIPTION:**Apollo GraphQL Apollo Server could allow a remote attacker to obtain sensitive information, caused by the log of sensitive information. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain Studio API keys information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Edge Application Manager | 4.5 |
| IBM Edge Application Manager | 4.4 |
| IBM Edge Application Manager | 4.5 |
| IBM Edge Application Manager | 4.4 |
| IBM Edge Application Manager | 4.3 |
| IBM Edge Application Manager | 4.5 |
| IBM Edge Application Manager | 4.4 |
| IBM Edge Application Manager | 4.3 |
Remediation/Fixes
The fix/upgrade is a set of docker images, that will automatically be pulled and deployed from both dockerhub and the IBM Entitled Registry.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm edge application manager | eq | 4.3 | |
| ibm edge application manager | eq | 4.4 | |
| ibm edge application manager | eq | 4.5 |
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
7.3 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
22.0%