Lucene search

IBMEBFB876AA87A3019066A12F2167601FD9E4592525941AD0C22A2BBC49C952852

HistoryFeb 15, 2024 - 4:16 a.m.

Security Bulletin: Multiple urllib vulnerabilities may affect IBM Storage Scale (CVE-2023-43804)

2024-02-1504:16:41

www.ibm.com

ibm storage scale

urllib vulnerabilities

remote authenticated attacker

sensitive information

ibm spectrum scale

version 5.1.0.0 - 5.1.2.14

version 5.1.3.0 - 5.1.9.0

cve-2023-43804

cve-2023-45803

cvss base score

cvss temporal score

request header

http redirect

fix available

ibm support.

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

36.3%

JSON

Summary

Multiple vulnerabilities in urllib repo, used by the IBM Storage Scale call home feature, which could allow a remote authenticated attacker to obtain sensitive information.

Vulnerability Details

CVEID:CVE-2023-45803
**DESCRIPTION:**urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with not remove the HTTP request body when an HTTP redirect response using status 303. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269079 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-43804
**DESCRIPTION:**urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with cookie request header not stripped during cross-origin redirects. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268192 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Spectrum Scale	5.1.0.0 - 5.1.2.14
IBM Spectrum Scale	5.1.3.0 - 5.1.9.0

Remediation/Fixes

For IBM Storage Scale V5.1.0.0 through V5.1.2.14, apply V5.1.2.15 or later available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Power%20HPC%20Stack&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=5.1.2&platform=All&function=all

For IBM Storage Scale V5.1.3.0 through V5.1.9.0, apply V5.1.9.1 or later available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Storage+Scale&release=5.1.9&platform=All&function=all

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmspectrum_scaleMatch5.1.

CPENameOperatorVersion
ibm storage scaleeq5.1.

CPE	Name	Operator	Version
	ibm storage scale	eq	5.1.

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

36.3%

JSON

Related for EBFB876AA87A3019066A12F2167601FD9E4592525941AD0C22A2BBC49C952852