Lucene search

K
ibmIBM8AC713850E4FBB5B985B37A790E86723C8262DA2E270A77BC5848DB279D93E87
HistoryApr 30, 2024 - 7:36 a.m.

Security Bulletin: IBM Decision Optimization for Cloud Pak for Data may be vulnerable to a remote attacker (CVE-2024-28849)

2024-04-3007:36:22
www.ibm.com
12
ibm cloud pak for data
vulnerability
remote attacker
node.js
cve-2024-28849
information leakage
credentials
security bulletin
upgrade
follow-redirects
cvss base score 6.5

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

Low

EPSS

0

Percentile

10.3%

Summary

There is a vulnerability in follow-redirects used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVE.

Vulnerability Details

CVEID:CVE-2024-28849
**DESCRIPTION:**Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the leakage of credentials when clearing authorization header during cross-domain redirect, but keeping the proxy-authentication header. An attacker could exploit this vulnerability to obtain credentials and other sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285690 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Decision Optimization for Cloud Pak for Data All

Remediation/Fixes

Users are strongly encouraged to upgrade to IBM Decision Optimization for IBM Cloud Pak for Data 4.8 and subsequent releases.
Here is the detailed information on Upgrading IBM Cloud Pak for Data

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmcloud_pak_for_dataMatchany

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

Low

EPSS

0

Percentile

10.3%