Security Bulletin: IBM App Connect Enterprise is vulnerable to an authenticated user accessing sensitive information (CVE-2024-31893, CVE-2024-31894 & CVE-2024-31895)

Summary

IBM App Connect Enterprise Discovery Connector nodes for Calendly, Docusign and Square are vulnerable to an authenticated user accessing sensitive information. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2024-31893
**DESCRIPTION:**IBM App Connect Enterprise could allow an authenticated user to obtain sensitive calendar information using an expired access token.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288174 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2024-31894
**DESCRIPTION:**IBM App Connect Enterprise could allow an authenticated user to obtain sensitive user information using an expired access token.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288175 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2024-31895
**DESCRIPTION:**IBM App Connect Enterprise could allow an authenticated user to obtain sensitive user information using an expired access token.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288176 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

12.0.1.0 - 12.0.12.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise

Affected Product(s)

|

Version(s)

|

APAR

|

Remediation / Fixes

—|—|—|—

IBM App Connect Enterprise

|

12.0.1.0 - 12.0.12.1

| IT46032|

The APAR (IT46032) is available from

IBM App Connect Enterprise v12- Fix Pack Release 12.0.12.2

Workarounds and Mitigations

None