Lucene search

IBMBBFA7DDBA21D296590459BEF46C40DDAE4995F3DCB223548A0039A3F5B8A2C20

HistoryOct 09, 2023 - 11:01 a.m.

Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2023-26049

2023-10-0911:01:33

www.ibm.com

eclipse jetty

ibm process mining

vulnerability

sensitive information

security fixes

remote attacker

nonstandard cookie parsing

cvss

upgrade

passportadvantage

workarounds

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

46.0%

JSON

Summary

There is a vulnerability in Eclipse Jetty that could allow a remote authenticated attacker to obtain sensitive information on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-26049
**DESCRIPTION:**Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the cookie parsing mechanism, an attacker could exploit this vulnerability to obtain values from other cookies, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253355 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Process Mining

1.14.0, 1.13.2, 1.13.1, 1.13.0, 1.12.0.5, 1.12.0.4

Remediation/Fixes

Remediation/Fixes guidance:

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Process Mining

1.14.1,

1.14.0, 1.13.2, 1.13.1, 1.13.0, 1.12.0.5, 1.12.0.4

Upgrade to version 1.14.2

1.Login to PassPortAdvantage

2. Search for
M0FHQML
Process Mining 1.14.2 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M0FHRML Process Mining 1.14.2 Client Windows Multilingual

| |

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None known

Affected configurations

Vulners

Node

ibmcloud_pak_for_automationMatch1.14.1

ibmcloud_pak_for_automationMatch1.14.0

ibmcloud_pak_for_automationMatch1.13.2

ibmcloud_pak_for_automationMatch1.13.1

ibmcloud_pak_for_automationMatch1.13.0

ibmcloud_pak_for_automationMatch1.12.0.5

ibmcloud_pak_for_automationMatch1.12.0.4

VendorProductVersionCPE
ibmcloud_pak_for_automation1.14.1cpe:2.3:a:ibm:cloud_pak_for_automation:1.14.1:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.14.0cpe:2.3:a:ibm:cloud_pak_for_automation:1.14.0:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.13.2cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.2:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.13.1cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.1:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.13.0cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.0:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.12.0.5cpe:2.3:a:ibm:cloud_pak_for_automation:1.12.0.5:*:*:*:*:*:*:*
ibmcloud_pak_for_automation1.12.0.4cpe:2.3:a:ibm:cloud_pak_for_automation:1.12.0.4:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_for_automation	1.14.1	cpe:2.3:a:ibm:cloud_pak_for_automation:1.14.1:::::::*
ibm	cloud_pak_for_automation	1.14.0	cpe:2.3:a:ibm:cloud_pak_for_automation:1.14.0:::::::*
ibm	cloud_pak_for_automation	1.13.2	cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.2:::::::*
ibm	cloud_pak_for_automation	1.13.1	cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.1:::::::*
ibm	cloud_pak_for_automation	1.13.0	cpe:2.3:a:ibm:cloud_pak_for_automation:1.13.0:::::::*
ibm	cloud_pak_for_automation	1.12.0.5	cpe:2.3:a:ibm:cloud_pak_for_automation:1.12.0.5:::::::*
ibm	cloud_pak_for_automation	1.12.0.4	cpe:2.3:a:ibm:cloud_pak_for_automation:1.12.0.4:::::::*