CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
19.0%
IBM Business Automation Workflow is vulnerable to an information leakage attack.
CVEID:CVE-2023-40691
**DESCRIPTION:**IBM Business Automation Workflow may reveal sensitive information contained in application configuration to developer and administrator users.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264805 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) | Status |
---|---|---|
IBM Business Automation Workflow containers |
V23.0.1 - V23.0.1-IF004
V22.0.2 all fixes
V22.0.1 all fixes
| affected
IBM Business Automation Workflow containers|
V21.0.3 all fixes
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes
| Not affected
IBM Business Automation Workflow traditional| V23.0.1
V22.0.1 - V22.0.2| affected
IBM Business Automation Workflow traditional| V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| Not affected
IBM Business Automation Workflow Enterprise Service Bus| V23.0.1
V22.0.2| affected
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT230451 as soon as practical.
Affected Product(s) | Version(s) | Remediation / Fix |
---|---|---|
IBM Business Automation Workflow containers | V23.0.1 | Apply 23.0.1-IF005 |
IBM Business Automation Workflow containers | V22.0.1 - V22.0.2 | Upgrade to 23.0.1-IF005 |
IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus | V23.0.1 | Apply DT230451 |
IBM Business Automation Workflow traditional | V22.0.2 | |
V22.0.1 | Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum |
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | business_automation_workflow | 22.0.2 | cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:enterprise_service_bus:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
19.0%