SB2024060620 - Multiple vulnerabilities in IBM Business Automation Workflow traditional
Published: June 6, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2024-28849)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to credentials are shared via headers when following cross-domain redirects. A remote attacker can gain access to sensitive information.
2) Information disclosure (CVE-ID: CVE-2024-21501)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application when used on the backend and with the style attribute allowed. A remote attacker can enumerate files on the system, including project dependencies.
Remediation
Install update from vendor's website.