CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
19.0%
IBM Business Automation Workflow is vulnerable to an information disclosure attack.
CVEID:CVE-2023-50959
**DESCRIPTION:**IBM Business Automation Workflow may allow end users to query more documents than expected from a connected Enterprise Content Management system when configured to use a system account.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275938 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) | Status |
---|---|---|
IBM Business Automation Workflow containers |
V23.0.2 - V23.0.2-IF002
V23.0.1 all fixes
V22.0.2 all fixes
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF030
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes
| affected
IBM Business Automation Workflow traditional| V23.0.1 - V23.0.2
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT247523 as soon as practical.
Affected Product(s) | Version(s) | Remediation / Fix |
---|---|---|
IBM Business Automation Workflow containers | V23.0.2 | Apply 23.0.2-IF003 |
IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF031 |
or upgrade to 23.0.2-IF003 or later | ||
IBM Business Automation Workflow containers | V23.0.1 | |
V22.0.1 - V22.0.2 | ||
V21.0.1 - V21.0.2 | ||
V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF031 | |
or upgrade to 23.0.2-IF003 or later | ||
IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus | V23.0.2 | Apply DT247523 |
IBM Business Automation Workflow traditional | V21.0.3.1 | Apply DT247523 |
IBM Business Automation Workflow traditional |
V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.0
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.1 - V18.0.0.3
| Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum
The fix introduces a new concept of a “ECM Document Query Authorization Service”, comparable to the existing concept of “ECM Document Authorization Service” (see related information below). By implementing this service, your own code can pre-process CMIS queries sent from a client (like a Client Side Human Service) before they are forwarded to an external ECM system. The service implementation is mandatory for external ECM server definitions that have the “Always Use This Connection Information” checkbox checked, that is, when using a system account independent of the current end user. The requirement for an “ECM Document Query Authorization Service” can be globally disabled via configuration to allow a transition period when adding such services to your process apps.
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | business_automation_workflow | 22.0.2 | cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:enterprise_service_bus:*:*:* |
ibm | business_automation_workflow | 23.0.1 | cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:enterprise_service_bus:*:*:* |
ibm | business_automation_workflow | 23.0.2 | cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:enterprise_service_bus:*:*:* |
ibm | business_automation_workflow | 18.0.0.0 | cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 18.0.0.1 | cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 18.0.0.2 | cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 19.0.0.1 | cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 19.0.0.2 | cpe:2.3:a:ibm:business_automation_workflow:19.0.0.2:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 19.0.0.3 | cpe:2.3:a:ibm:business_automation_workflow:19.0.0.3:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 20.0.0.1 | cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
19.0%