Security Bulletin: IBM Cloud Pak For Security vulnerable to potential information disclosure through HTTP headers (CVE-2020-4967)

Summary

IBM Cloud Pak for Security 1.3.0.1 could disclose sensitive information through HTTP headers which could be used in further attacks against the system. Response headers include information that provide an attacker with clues that can be used to focus attacks for better results. This has been addressed in an update.

Vulnerability Details

CVEID:CVE-2020-4967
**DESCRIPTION:**IBM Cloud Pak for Security (CP4S) could disclose sensitive information through HTTP headers which could be used in further attacks against the system.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192425 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Upgrade to IBM Cloud Pak for Security v1.4.0.0 or greater at at <https://cloud.ibm.com/catalog/content/ibm-cp-security-b25bd169-0fbd-4cf3-a8ea-0067316158a4-global&gt; or following <https://www.ibm.com/support/knowledgecenter/en/SSTDPP_1.4.0/platform/docs/security-pak/upgrading.html&gt;

Workarounds and Mitigations

None