Lucene search

K
ibmIBM8C06AF7742D7E79A025C594363053C3BC34E78EB791B816F96BE30F2E6CBF999
HistoryJun 11, 2024 - 9:24 p.m.

Security Bulletin: IBM Rational Developer for i is vulnerable to leaked credentials due to a flaw in follow-redirects (CVE-2024-28849).

2024-06-1121:24:04
www.ibm.com
7
ibm rational developer
code coverage
leaked credentials
follow-redirects
vulnerability
fixpack
installation

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0

Percentile

10.3%

Summary

IBM Rational Developer for i contains Code Coverage functionality which has a browser interface. The browser interface utilizes follow-redirects which could allow a remote attacker to obtain credentials (CVE-2024-28849). This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2024-28849
**DESCRIPTION:**Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the leakage of credentials when clearing authorization header during cross-domain redirect, but keeping the proxy-authentication header. An attacker could exploit this vulnerability to obtain credentials and other sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285690 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
RDi 9.8

Remediation/Fixes

The issue can be fixed by installing a fixpack.

Products(s) Versions(s) Remediation/Fix/Instructions
IBM Rational Developer for i 9.8.0.0 - 9.8.0.1

Instructions to install fixpack 9.8.0.2 for IBM Rational Developer for i are available at Install New Version.

<https://www.ibm.com/support/fixcentral&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmrational_business_developerMatch9.8.0.0
OR
ibmrational_business_developerMatch9.8.0.1

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0

Percentile

10.3%