Lucene search

IBM93FB7B07B9D98006143CF959A87E67D503CE37466D0862592D5F1FFE7BEB3DD7

HistoryJan 22, 2024 - 7:02 p.m.

Security Bulletin: IBM Tivoli Application Dependency Discovery Manager affected by multiple vulnerabilities.

2024-01-2219:02:52

www.ibm.com

denial of service

http header injection

cross-site scripting

cache poisoning

session hijacking

credentials disclosure

unauthorized api access

fixpack

upgrade

taddm

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

31.9%

JSON

Summary

IBM Tivoli Application Dependency Discovery Manager is vulnerable to denial of service due to multiple vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-47143
**DESCRIPTION:**IBM Tivoli Application Dependency Discovery Manager is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270270 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2023-47144
**DESCRIPTION:**IBM Tivoli Application Dependency Discovery Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270271 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2023-47142
**DESCRIPTION:**IBM Tivoli Application Dependency Discovery Manager could allow an attacker on the organization’s local network to escalate their privileges due to unauthorized API access.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270267 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Tivoli Application Dependency Discovery Manager	7.3.0.0 -7.3.0.10

Remediation/Fixes

IBM strongly recommends addressing the vulnerabilities now by upgrading.

Please refer to the table below to download TADDM FixPack 7.3.0.11.

Fix	How to acquire fix
7.3-TIV-ITADDM-FP00011	Download FixPack

Please refer to the URL for TADDM FixPack 7.3.0.10 Release Notes containing more information about the update.

<https://www.ibm.com/docs/en/taddm/7.3.0?topic=release-notes#relnotes__fp11>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmtivoli_application_dependency_discovery_managerMatch7.3.0.0

ibmtivoli_application_dependency_discovery_managerMatch7.3.0.9

VendorProductVersionCPE
ibmtivoli_application_dependency_discovery_manager7.3.0.0cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:*
ibmtivoli_application_dependency_discovery_manager7.3.0.9cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.9:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	tivoli_application_dependency_discovery_manager	7.3.0.0	cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:::::::*
ibm	tivoli_application_dependency_discovery_manager	7.3.0.9	cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.9:::::::*