Lucene search

K
ibmIBMB6DBD83733517726216193740D64412DC04E7BF30C6676550760C4E0245866C3
HistoryMay 11, 2024 - 4:54 p.m.

Security Bulletin: IBM Storage Fusion HCI is vulnerable to phishing attacks and cross-site request forgery due to follow-redirects and Axios.

2024-05-1116:54:49
www.ibm.com
16
ibm storage fusion hci
vulnerability
phishing
cross-site request forgery
follow-redirects
axios
cve-2023-26159
cve-2023-45857

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

28.4%

Summary

follow-redirects and Axios are used by IBM Storage Fusion HCI as part of the Installer and may be vulnerable to the CVE listed below. CVE-2023-26159, CVE-2023-45857.

Vulnerability Details

**CVEID:**CVE-2023-26159 DESCRIPTION: follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2023-45857 DESCRIPTION: Axios is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on, an attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270574 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Fusion HCI 2.3.0 - 2.7.1

Remediation/Fixes

Product(s) Version(s) number and/or range Remediation/Fix/Instructions
IBM Storage Fusion HCI 2.3.0 - 2.7.1 Upgrade to 2.8.0 - See README for upgrade instructions.

Workarounds and Mitigations

NA

Affected configurations

Vulners
Node
ibmstorage_fusion_hciMatch2.8.0
VendorProductVersionCPE
ibmstorage_fusion_hci2.8.0cpe:2.3:a:ibm:storage_fusion_hci:2.8.0:*:*:*:*:*:*:*

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

28.4%