Lucene search

IBMDC3086EFE3C4AF336965FC3C193BD5E340A69393964F74EDD623AE65A6A452D3

HistorySep 20, 2023 - 2:09 p.m.

Security Bulletin: A vulnerability in Microsoft ASP.NET Core may affect IBM Robotic Process Automation and result in an exposure of sensitive information (CVE-2023-35391).

2023-09-2014:09:24

www.ibm.com

ibm

robotic process automation

microsoft asp.net core

vulnerability

exposure

sensitive information

update

security bulletin

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

46.7%

JSON

Summary

There is a vulnerability in Microsoft ASP.NET Core used by IBM Robotic Process Automation as part of it’s infrastructure, which may allow a remote authenticated attacker to obtain sensitive information. (CVE-2023-35391). This bulletin identifies the security fixes to apply to address this vulnerability.

Vulnerability Details

CVEID:CVE-2023-35391
**DESCRIPTION:**Microsoft ASP.NET Core and Visual Studio could allow a local authenticated attacker to obtain sensitive information. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information and then use this information to launch further attacks against the affected system.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261914 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Robotic Process Automation	21.0.0 - 21.0.7.8, 23.0.0 - 23.0.9
IBM Robotic Process Automation for Cloud Pak	21.0.0 - 21.0.7.8, 23.0.0 - 23.0.9

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Robotic Process Automation	21.0.0 - 21.0.7.8	Download 21.0.7.9 or higher and follow these instructions.
IBM Robotic Process Automation for Cloud Pak	21.0.0 - 21.0.7.8	Update to 21.0.7.9 or higher using the following instructions.
IBM Robotic Process Automation	23.0.0 - 23.0.9	Download 23.0.10 or higher and follow these instructions.

IBM Robotic Process Automation for Cloud Pak

| 23.0.0 - 23.0.9| Update to 23.0.10 or higher using the following instructions.

Workarounds and Mitigations

None.

Affected configurations

Vulners

Node

ibmrobotic_process_automationMatch21.0.0

ibmrobotic_process_automationMatch21.0.7.8

ibmrobotic_process_automationMatch23.0.0

ibmrobotic_process_automationMatch23.0.9

CPENameOperatorVersion
ibm robotic process automationeq21.0.0
ibm robotic process automationeq21.0.7.8
ibm robotic process automationeq23.0.0
ibm robotic process automationeq23.0.9

Name	Operator	Version
ibm robotic process automation	eq	21.0.0
ibm robotic process automation	eq	21.0.7.8
ibm robotic process automation	eq	23.0.0
ibm robotic process automation	eq	23.0.9