Lucene search

IBM98425D18F94A31B61B92B4AAD77CA798D8D38DDCB1875E71325BD4EA27908AB6

HistoryAug 08, 2024 - 3:55 p.m.

Security Bulletin: IBM Cloud Pak for Data is vulnerable to cross-site scripting due to Jinja ( CVE-2024-22195 )

2024-08-0815:55:10

www.ibm.com

ibm cloud pak for data

jinja

cross-site scripting

vulnerability

cve-2024-22195

pallets jinja

security

web page

authentication credentials

ibm

remediation

instructions

version 4.8.5

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.2

Confidence

Low

JSON

Summary

Jinja is used by IBM Cloud Pak for Data as part of the platform. CVE-2024-22195.

Vulnerability Details

CVEID:CVE-2024-22195
**DESCRIPTION:**Pallets Jinja is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the xmlattr filter. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279344 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)|**Version(s)
**
—|—
IBM Cloud Pak for Data| 4.0.0-4.8.4

Remediation/Fixes

IBM****strongly recommends addressing the vulnerability now.

Product(s)

Version(s) number and/or range

Remediation/Fix/Instructions

—|—|—

IBM Cloud Pak for Data

4.0.0-4.8.4

Download 4.8.5 and follow instructions

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_for_dataMatch4.8.5

VendorProductVersionCPE
ibmcloud_pak_for_data4.8.5cpe:2.3:a:ibm:cloud_pak_for_data:4.8.5:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_for_data	4.8.5	cpe:2.3:a:ibm:cloud_pak_for_data:4.8.5:::::::*

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.2

Confidence

Low

JSON

Related for 98425D18F94A31B61B92B4AAD77CA798D8D38DDCB1875E71325BD4EA27908AB6