Security Bulletin: IBM Cloud Private Identity and Access Management is vulnerable to a cross-site request forgery attack (CVE-2019-4117)

2019-08-1319:58:44

www.ibm.com

0.001 Low

EPSS

Percentile

26.1%

JSON

Summary

IBM Cloud Private Identity and Access Management is vulnerable to a cross-site request forgery attack

Vulnerability Details

CVEID: CVE-2019-4117 DESCRIPTION: IBM Cloud Private is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158116> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Cloud Private 2.1.x, 3.1.0, 3.1.1, 3.1.2

Remediation/Fixes

Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages

IBM Cloud Private 3.1.2
IBM Cloud Private 3.1.1

For IBM Cloud Private 3.1.2, apply patch:

auth-idp

For IBM Cloud Private 3.1.1, apply patch:

auth-idp

For IBM Cloud Private, 2.1.x, 3.1.0:

Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.
If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud privateeqany

CPE	Name	Operator	Version
	ibm cloud private	eq	any

0.001 Low

EPSS

Percentile

26.1%

JSON

Related for BBCBDD49FA3C14376A345EB92A59A708648DAEE756F10FA091395AAEDF8F581E