5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
19.8%
Digital Certificate Manager for IBM i is vulnerable to a cross-site scripting issue in the old web application as described in the vulnerability details section. IBM i has addressed the applicable CVE with a fix to the Digital Certificate Manage web application as described in the remediation/fixes section.
CVEID:CVE-2022-34358
**DESCRIPTION:**IBM i is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230516 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM i | 7.5 |
IBM i | 7.4 |
IBM i | 7.3 |
IBM i | 7.2 |
The original reported issue can be fixed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.
The IBM i PTF numbers contain the fix for the vulnerability.
IBM i Release| 5770-SS1
PTF Number| PTF Download Link
—|—|—
7.5| SI80415| SI80415
7.4| SI80414| SI80414
7.3| SI80413| SI80413
7.2| SI80412| SI80412
Additional URLs were identified that can be used for a cross-site scripting attack resulting in superseded PTFs.
The IBM i superseding PTF numbers contain the fix for the vulnerability.
IBM i Release| 5770-SS1
PTF Number| PTF Download Link
—|—|—
7.5| SI81854| SI81854
7.4| SI81853| SI81853
7.3| SI81852| SI81852
7.2| SI81845| SI81845
It is recommended that the heritage version of Digital Certificate Manager not be used.
PTFs are available that disable the heritage version of Digital Certificate Manager.
IBM i releases 7.5, 7.4, and 7.3 will be disabled.
The IBM i PTF numbers to disable heritage version of Digital Certificate Manager.
IBM i Release| 5770-DG1
PTF Number| PTF Download Link
—|—|—
7.5| SI81417| SI81417
7.4| SI81418| SI81418
7.3| SI81419| SI81419
<https://www.ibm.com/support/fixcentral>
_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
Instead of using the heritage version of Digital Certificate Manager, it is recommended to use the new IBM Digital Certificate Manager for i user interface by specifying this URL: http://systemname:2001/dcm
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
19.8%