IBM WebSphere Application Server Liberty for IBM i contains swagger-ui which is vulnerable to spoofing and clickjacking attacks as described in the vulnerability details section. IBM WebSphere Application Server Liberty for IBM i has addressed the vulnerabilities with a fix that upgrades the Liberty runtime to version 22.0.0.3.
CVEID:CVE-2018-25031
**DESCRIPTION:**swagger-ui could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a specially-crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID:CVE-2021-46708
**DESCRIPTION:**npm swagger-ui-dist could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim’s click actions and possibly launch further attacks against the victim.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217359 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM i | 7.4 |
IBM i | 7.3 |
IBM i | 7.2 |
IBM strongly recommends addressing the vulnerabilities now.
The issues can be fixed by applying a PTF to IBM i. IBM i releases 7.4, 7.3, and 7.2 will be fixed.
The IBM i PTF numbers containing the fix for the CVEs :
IBM i Release | 5770-SS1 PTF Number | PTF Download Link |
---|---|---|
7.4 | SI78971 | <https://www.ibm.com/support/pages/ptf/SI78971> |
7.3 | SI78972 | <https://www.ibm.com/support/pages/ptf/SI78972> |
7.2 | SI78973 | <https://www.ibm.com/support/pages/ptf/SI78973> |
<https://www.ibm.com/support/fixcentral>
Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
None