IBMD209AA49F659E23512A5AA3CEEF68B94981CC7CA35F0B74A23E9C2B04180067DSecurity Bulletin: IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps is vulnerable to cross-site request forgery (CVE-2022-22493)
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
29.5%
Summary
IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps is vulnerable to cross-site request forgery. This has been addressed.
Vulnerability Details
CVEID:CVE-2022-22493
**DESCRIPTION:**IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps is vulnerable to cross-site request forgery, caused by improper cookie attribute setting.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226449 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Affected Products and Versions
These vulnerabilities affect all versions of IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps up to and including 1.4.2.
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading to 1.4.3 or higher.
Follow https://www.ibm.com/docs/en/ws-automation?topic=installing-validating-installation to confirm the WebSphere Automation operator version.
Follow <https://www.ibm.com/docs/en/ws-automation?topic=installing-updating-websphere-automation> to update the WebSphere Automation operator installation.
Workarounds and Mitigations
None
Affected configurations
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
29.5%