SB2024120429 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) CRLF injection (CVE-ID: CVE-2019-11236)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient filtration of user-supplied data passed via HTTP request parameters to urllib3 library. A remote attacker can pass specially crafted data that contains CRLF sequences and perform a spoofing attack.

2) Information disclosure (CVE-ID: CVE-2023-45803)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to urllib3 does not remove the HTTP request body when redirecting HTTP response using status codes 301, 302, or 303, after the request had its method changed from one that could accept a request body (e.g. from POST to GET). A remote attacker can gain access to potentially sensitive information.

3) Security features bypass (CVE-ID: CVE-2024-35195)

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to the session object does not verify requests after making first request with verify=False. A local administrator can bypass authentication.

4) Information disclosure (CVE-ID: CVE-2024-37891)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Prox-Authorization header is not stripped during cross-origin redirects when using urllib3's proxy support with ProxyManager. A remote attacker can gain obtain proxy credentials used by the library.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7177596