Lucene search

K
ibmIBM61B96888819C374F3421BF72DEAA770C0FF3BCC903B9EB5DCA38514472D35D68
HistoryMay 09, 2024 - 7:13 a.m.

Security Bulletin: IBM Automation Decision Services - April 2024 -Multiple CVEs addressed

2024-05-0907:13:05
www.ibm.com
13
ibm automation decision services
april 2024
multiple cves
denial of service
third party
open source
vulnerabilities
interim fix
ibm cloud pak
git repository

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

AI Score

9.3

Confidence

High

EPSS

0.005

Percentile

76.0%

Summary

IBM Automation Decision Services is vulnerable to denial of service attacks in third party and open source used in the product for various functions. See full list below. This vulnerability has been addressed.

Vulnerability Details

CVEID:CVE-2024-31906
**DESCRIPTION:**IBM Automation Decision Services allows web pages to be stored locally which can be read by another user on the system.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289860 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-22257
**DESCRIPTION:**VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter. By sending a direct request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285898 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVEID:CVE-2024-22259
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285631 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

CVEID:CVE-2021-33813
**DESCRIPTION:**JDOM is vulnerable to a denial of service, caused by an XXE issue in SAXBuilder. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to cause the a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203804 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Automation Decision Services 23.0.2

Remediation/Fixes

IBM Automation Decision Services 23.0.2:

Interim fix 004 is available:

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmautomation_workstream_servicesMatch23.0.1

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

AI Score

9.3

Confidence

High

EPSS

0.005

Percentile

76.0%