Security Bulletin: A Security Vulnerability was fixed in IBM Security Verify Access. (CVE-2024-35133)

Summary

An issue found in the IBM Security Verify Access OIDC code could allow a remote attacker to cause a Redirect URL vulerability

Vulnerability Details

CVEID:CVE-2024-35133
**DESCRIPTION:**IBM Security Verify Access OIDC Provider could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/291026 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM encourages customers to update their systems promptly.

IBM Security Verify Access (Docker Container)

• Obtain the latest version of the container by running the command “docker pull icr.io/isva/verify-access:[tag]”

Where [tag] is the latest published version and can be confirmed here.

For the ISAM/ISVA appliances

• Obtain the latest version by obtaining the fix at the location shown below:

Affected Products and Versions

|

Fix availability

—|—

IBM Security Verify Access 10.0.0.0 - 10.0.7.0

|

10.0.8-ISS-ISVA-IF0001

Workarounds and Mitigations

None