Security Bulletin: Information leakage vulnerability affect IBM Business Automation Workflow - CVE-2023-40691

Summary

IBM Business Automation Workflow is vulnerable to an information leakage attack.

Vulnerability Details

CVEID:CVE-2023-40691
**DESCRIPTION:**IBM Business Automation Workflow may reveal sensitive information contained in application configuration to developer and administrator users.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264805 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

V23.0.1 - V23.0.1-IF004
V22.0.2 all fixes
V22.0.1 all fixes

| affected
IBM Business Automation Workflow containers|

V21.0.3 all fixes
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes

| Not affected
IBM Business Automation Workflow traditional| V23.0.1
V22.0.1 - V22.0.2| affected
IBM Business Automation Workflow traditional| V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| Not affected
IBM Business Automation Workflow Enterprise Service Bus| V23.0.1
V22.0.2| affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT230451 as soon as practical.

Workarounds and Mitigations

None