Security Bulletin: IBM Storage Scale Install toolkit may be affected by a vulnerability in Jinja (CVE-2024-34064)

Summary

There is a vulnerability in Jinja, used by Storage Scale Install toolkit which could allow a remote attacker to steal the victim’s cookie-based authentication credentials.

Vulnerability Details

CVEID:CVE-2024-34064
**DESCRIPTION:**Jinja is vulnerable to cross-site scripting, caused by the acceptance of keys containing non-attribute characters by the xmlattr filter. A remote attacker could exploit this vulnerability to inject other attributes into a Web page which would be executed in a victims Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

For IBM Storage Scale V5.2.0.0, apply V5.2.1.0 or later available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Storage+Scale&release=5.2.1&platform=All&function=all

For IBM Storage Scale V5.1.0.0 through V5.1.9.4, apply V5.2.1.0 or 5.1.9.5 or later available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Storage+Scale&release=5.1.9&platform=All&function=all

Workarounds and Mitigations

None