Lucene search

IBMDB163991BDE3C4C28173075C45755114A229D0F6F1A8D59705D1EFAE04975C09

HistoryDec 13, 2023 - 9:51 p.m.

Security Bulletin: IBM UrbanCode Deploy (UCD) is vulnerable to a HTTP tequest smuggling vulnerability (CVE-2023-45648)

2023-12-1321:51:44

www.ibm.com

ibm

urbancode deploy

http request smuggling

apache tomcat

vulnerability

http

trailer headers

cve-2023-45648

web cache

web application firewall

xss attacks

affected products

versions

remediation

fixes

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

Confidence

High

EPSS

0.002

Percentile

60.5%

JSON

Summary

Apache Tomcat is vulnerable to HTTP request smuggling, caused by improper parsing of HTTP trailer headers. By sending a specially crafted invalid trailer header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

Vulnerability Details

CVEID:CVE-2023-45648
**DESCRIPTION:**Apache Tomcat is vulnerable to HTTP request smuggling, caused by improper parsing of HTTP trailer headers. By sending a specially crafted invalid trailer header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268200 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
UCD - IBM UrbanCode Deploy	7.0 - 7.0.5.18
UCD - IBM UrbanCode Deploy	7.1 - 7.1.2.14
UCD - IBM UrbanCode Deploy	7.2 - 7.2.3.7
UCD - IBM UrbanCode Deploy	7.3 - 7.3.2.2

Remediation/Fixes

IBM strongly suggests the following:

Upgrade affected versions to any of 7.0.5.19, 7.1.2.15, 7.2.3.8, 7.3.2.3, or 8.0.0.0 or later

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmurbancode_deployMatch8.0.0.0

VendorProductVersionCPE
ibmurbancode_deploy8.0.0.0cpe:2.3:a:ibm:urbancode_deploy:8.0.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	urbancode_deploy	8.0.0.0	cpe:2.3:a:ibm:urbancode_deploy:8.0.0.0:::::::*

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

Confidence

High

EPSS

0.002

Percentile

60.5%

JSON

Related for DB163991BDE3C4C28173075C45755114A229D0F6F1A8D59705D1EFAE04975C09