The App Connect Enterprise Certified Container Dashboard is vulnerable to CVE-2019-11324 through its use of CouchDB for storing flow data, where the Operator is installed in a Restricted Network cluster.
CVEID:CVE-2019-11324
**DESCRIPTION:**urllib3 could allow a remote attacker to bypass security restrictions, caused by mishandling of certificates. By sending a specially-crafted certificate, an attacker could exploit this vulnerability to allow SSL connections.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159909 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
App Connect Enterprise Certified Container | 1.0.0 with Operator |
App Connect Enterprise Certified Container | 1.0.1 with Operator |
App Connect Enterprise Certified Container | 1.0.2 with Operator |
App Connect Enterprise Certified Container | 1.0.3 with Operator |
Upgrade to App Connect Enterprise Certified Container to Operator version 1.0.4 as defined in CASE 1.0.5. This explicitly places a prerequisite on using CouchDB operator 1.2.1, which resolves CVE-2019-11324.
None