Security Bulletin: IBM Cloud Pak for Security is vulnerable to cross-site scripting (XSS) (CVE-2022-36776)

Summary IBM Cloud Pak for Security is vulnerable to cross-site scripting XSS. This has been updated in the latest release and the vulnerability has been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of Cloud Pak for Security CP4S...

Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2022-48195, CVE-2022-29577, CVE-2022-28367)

Summary IBM Cloud Pak for Security includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of Cloud Pak for Security...

CVE-2022-38382

IBM Cloud Pak for Security CP4S 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 does not invalidate session after logout which could allow another authenticated user to obtain sensitive information. IBM X-Force ID: 233672...

CVE-2022-38383

CVE-2022-38383 affects IBM Cloud Pak for Security (CP4S) and QRadar Suite: CP4S 1.10.0.0–1.10.11.0 and QRadar Suite 1.10.12.0–1.10.21.0 store web pages locally, readable by another user on the same system (information exposure). Root cause is local storage of pages containing sensitive data. IBM’...

CVE-2021-39090

CVE-2021-39090 affects IBM Cloud Pak for Security (CP4S). CP4S versions 1.10.0.0 through 1.10.6.0 are vulnerable due to a failure to properly enable HTTP Strict Transport Security, enabling a remote attacker to obtain sensitive information via man-in-the-middle techniques. Impact is information d...

CVE-2022-36777

CVE-2022-36777 affects IBM Cloud Pak for Security (CP4S) 1.10.0.0–1.10.11.0 and IBM QRadar Suite Software 1.10.12.0–1.10.16.0, enabling an authenticated user to obtain sensitive version information that could aid subsequent attacks. The issue is described as an information-disclosure vulnerabilit...

CVE-2023-30993

Summary of vulnerability (CVE-2023-30993) : IBM Cloud Pak for Security (CP4S) versions 1.9.0.0 through 1.9.2.0 are affected. A flaw could allow an attacker who has a valid API key for one tenant to access data from another tenant’s account, indicating a cross-tenant data exposure vulnerability. R...

Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2023-0286, CVE-2023-23931)

Summary IBM Cloud Pak for Security includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of Cloud Pak for Security...

CVE-2021-39089

IBM Cloud Pak for Security (CP4S) 1.10.0.0–1.10.6.0 contains an information-disclosure vulnerability that could allow an authenticated user to obtain sensitive data via a specially crafted HTTP request. The issue has been addressed in CP4S 1.10.7.0; upgrade to at least 1.10.7.0 to remediate. CVSS...

CVE-2021-39011

CVE-2021-39011 affects IBM Cloud Pak for Security (CP4S) versions 1.10.0.0 through 1.10.6.0, where potentially sensitive information could be stored in log files readable by a privileged user. The root cause is information disclosure via log data exposure. IBM’s bulletin indicates remediation via...

Security Bulletin: IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39011)

Summary IBM Cloud Pak for Security CP4S stores potentially sensitive information in log files that could be read by a privileged user. This has been updated in the latest release and the vulnerability has been addressed. Please follow the instructions in the Remediation/Fixes section below to...

Security Bulletin: OpenSSH as used by IBM Cloud Pak for Security is vulnerable to privilege escalation (CVE-2021-41617)

Summary OpenSSH as used by IBM Cloud Pak for Security is vulnerable to privilege escalation . This has been updated in the latest release and the vulnerability have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of Cloud Pak f...

Security Bulletin: Apache Commons Text as used by IBM Cloud Pak for Security is vulnerable to code execution [CVE-2022-42889]

Summary Apache Commons Text as used by IBM Cloud Pak for Security is vulnerable to arbitrary code execution. IBM has addressed the relevant CVE. CVE-2022-42889 Vulnerability Details CVEID:CVE-2022-42889 DESCRIPTION: Apache Commons Text could allow a remote attacker to execute arbitrary code on th...

CVE-2022-38387

IBM Cloud Pak for Security CP4S 1.10.0.0 through 1.10.2.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 233786...

Cross site scripting

IBM Cloud Pak for Security CP4S 1.10.0.0 79and 1.10.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM...

CVE-2022-36776

IBM Cloud Pak for Security CP4S 1.10.0.0 79and 1.10.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM...

CVE-2022-36776

IBM Cloud Pak for Security (CP4S) versions 1.10.0.0 through 1.10.2.0 are affected by a cross-site scripting (XSS) vulnerability that allows embedding arbitrary JavaScript in the Web UI, potentially leading to credentials disclosure in a trusted session. Root cause: reflected or stored XSS in the ...

CVE-2022-38385

IBM Cloud Pak for Security (CP4S) 1.10.0.0–1.10.2.0 is affected by an input validation issue that could allow an authenticated user to access highly sensitive information or perform unauthorized actions. The Red Hat and IBM bulletins confirm the root cause as improper input validation and list CP...

CVE-2022-38387

CVE-2022-38387 affects IBM Cloud Pak for Security (CP4S) versions 1.10.0.0 through 1.10.2.0. Affected component: CP4S service logic exposed to remote requests. Root cause: command injection allowing a remote authenticated attacker to execute arbitrary commands on the system via a specially crafte...

CVE-2021-39013

CVE-2021-39013 affects IBM Cloud Pak for Security (CP4S) versions 1.7.2.0, 1.7.1.0, and 1.7.0.0. An authenticated user can obtain sensitive information in HTTP responses, which could be used to support further attacks against the system. The vulnerability details and affected versions are support...