Lucene search

IBM817640E8DF2A7B530569A692E194B4B1FE3689A9602B5BA6CC4208A42D05E268

HistoryMay 10, 2024 - 3:33 p.m.

Security Bulletin: IBM App Connect Enterprise is vulnerable to a remote attack due to the node.js module follow-redirects and Express.js (CVE-2024-28849, CVE-2024-29041)

2024-05-1015:33:27

www.ibm.com

ibm app connect enterprise

remote attack

node.js module

follow-redirects

express.js

cve-2024-28849

cve-2024-29041

vulnerability

phishing attacks

sensitive information

fix

version 12.0.1.0

version 12.0.11.3

version 11.0.0.1

version 11.0.0.25

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.3%

JSON

Summary

IBM App Connect Enterprise is vulnerable to a remote attack due to node.js module follow-redirects and Express.js. This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

CVEID:CVE-2024-28849
**DESCRIPTION:**Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the leakage of credentials when clearing authorization header during cross-domain redirect, but keeping the proxy-authentication header. An attacker could exploit this vulnerability to obtain credentials and other sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285690 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-29041
**DESCRIPTION:**Express.js Express could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286404 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.11.3
IBM App Connect Enterprise	11.0.0.1 - 11.0.0.25

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise

Affected Product(s)

Version(s)

APAR

Remediation / Fixes

—|—|—|—

IBM App Connect Enterprise

| 12.0.1.0 - 12.0.11.3| IT45836|

The APAR (IT45836) is available from

IBM App Connect Enterprise v12- Fix Pack Release 12.0.12.0

IBM App Connect Enterprise

| 11.0.0.1 - 11.0.0.25| IT45836|

The APAR (IT45836) is available from

IBM App Connect Enterprise v11- Fix Pack Release 11.0.0.26

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.11.3

ibmapp_connect_enterpriseRange11.0.0.1≥

ibmapp_connect_enterpriseRange≤11.0.0.25

CPENameOperatorVersion
ibm app connect enterprisege12.0.1.0
ibm app connect enterprisele12.0.11.3
ibm app connect enterprisege11.0.0.1
ibm app connect enterprisele11.0.0.25