Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMF5A066D51EC3D97F1F4070F7490532FB57397E705C313BFDE77A21018AFCC667
HistoryFeb 07, 2024 - 5:34 p.m.

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 1.14.3 IF001

2024-02-0717:34:13
www.ibm.com
13
ibm process mining
1.14.3 if001
http request smuggling
cross-site request forgery
denial of service
apache tomcat
axios
qos.ch sarl logback

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.1%

JSON

Summary

The following security vulnerabilities are addressed with IBM Process Mining 1.14.3 IF001

Vulnerability Details

CVEID:CVE-2023-46589
**DESCRIPTION:**Apache Tomcat is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP trailer headers. By sending a specially crafted HTTP(S) trailer header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272444 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2023-45857
**DESCRIPTION:**Axios is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on, an attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270574 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

CVEID:CVE-2023-6378
**DESCRIPTION:**QOS.ch Sarl Logback is vulnerable to a denial of service, caused by a serialization flaw in the receiver component. By sending specially crafted poisoned data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272577 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-6481
**DESCRIPTION:**QOS.ch Sarl Logback is vulnerable to a denial of service, caused by a serialization flaw in the logback receiver component. By sending a specially crafted data, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273013 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Process Mining 1.14.3

Remediation/Fixes

Any open source library may be included in one or more sub-components of IBM Process Mining. Open source updates are not always synchronized across all components. The CVEs in this bulletin are specifically addressed by

Product(s)

| Version(s) number and/or range| Remediation/Fix/Instructions
—|—|—
IBM Process Mining|

1.14.3

|

**Upgrade to version 1.14.3 IF001 **<https://www.ibm.com/support/pages/node/7096382&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmrobotic_process_automation_as_a_serviceMatch1.14.3

Related

cve 4
ibm 51
cvelist 4
redhat 12
osv 13
cgr 4
githubexploit 3
ubuntucve 4
redhatcve 4
nvd 4
github 4
openvas 10
tomcat 4
veracode 4
nessus 32
kaspersky 3
f5 1
almalinux 2
atlassian 12
debiancve 4
wolfi 2
oraclelinux 2
amazon 1
prion 4
rocky 1
gitlab 3
debian 3
redos 1
photon 3
cve
cve
CVE-2023-6481
2023-12-04 09:15:37
CVE-2023-46589
2023-11-28 16:15:06
CVE-2023-45857
2023-11-08 21:15:08
ibm
ibm
Security Bulletin: Logback is vulnerable to CVE-2023-6481 and CVE-2023-6378 used in IBM Maximo Application Suite - Monitor Component
2024-02-27 16:18:32
Security Bulletin: IBM Event Streams is vulnerable to a cross-site request forgery due to the Axios component (CVE-2023-45857).
2024-06-25 09:08:13
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Axios
2024-01-31 22:47:32
cvelist
cvelist
CVE-2023-6481 Logback "receiver" DOS vulnerability CVE-2023-6378 incomplete fix
2023-12-04 08:35:44
CVE-2023-46589 Apache Tomcat: HTTP request smuggling via malformed trailer headers
2023-11-28 15:31:52
CVE-2023-45857
2023-11-08 00:00:00
redhat
redhat
(RHSA-2024:0793) Important: Red Hat Integration Camel for Spring Boot 4.0.3 release security update
2024-02-12 17:59:02
(RHSA-2024:0532) Important: tomcat security update
2024-01-29 00:58:19
(RHSA-2024:1134) Important: tomcat security update
2024-03-05 15:32:17
osv
osv
Axios Cross-Site Request Forgery Vulnerability
2023-11-08 21:30:37
CVE-2023-45857
2023-11-08 21:15:08
tomcat9 - security update
2024-01-05 00:00:00
cgr
cgr
CVE-2023-45857 vulnerabilities
2024-05-19 03:07:16
CVE-2023-46589 vulnerabilities
2024-05-19 03:07:16
CVE-2023-6481 vulnerabilities
2024-05-19 03:07:16
githubexploit
githubexploit
Exploit for Cross-Site Request Forgery (CSRF) in Axios
2023-10-26 04:18:03
Exploit for Cross-Site Request Forgery (CSRF) in Axios
2023-11-24 22:42:56
Exploit for CVE-2023-45857
2023-10-18 12:19:34
ubuntucve
ubuntucve
CVE-2023-45857
2023-11-08 00:00:00
CVE-2023-6481
2023-12-04 00:00:00
CVE-2023-46589
2023-11-28 00:00:00
redhatcve
redhatcve
CVE-2023-45857
2023-11-10 00:17:17
CVE-2023-46589
2023-11-29 09:26:39
CVE-2023-6481
2023-12-05 14:14:02
nvd
nvd
CVE-2023-45857
2023-11-08 21:15:08
CVE-2023-6481
2023-12-04 09:15:37
CVE-2023-46589
2023-11-28 16:15:06
github
github
Axios Cross-Site Request Forgery Vulnerability
2023-11-08 21:30:37
Logback is vulnerable to an attacker mounting a Denial-Of-Service attack by sending poisoned data
2023-12-04 09:30:23
Apache Tomcat Improper Input Validation vulnerability
2023-11-28 18:30:23
openvas
openvas
Apache Tomcat Request Smuggling Vulnerability (Nov 2023) - Linux
2023-11-29 00:00:00
Apache Tomcat Request Smuggling Vulnerability (Nov 2023) - Windows
2023-11-29 00:00:00
SUSE: Security Advisory (SUSE-SU-2024:0209-1)
2024-01-25 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 10.1.16
2023-11-14 00:00:00
Fixed in Apache Tomcat 8.5.96
2023-11-13 00:00:00
Fixed in Apache Tomcat 9.0.83
2023-11-15 00:00:00
veracode
veracode
Request Smuggling
2023-11-29 06:11:28
Denial Of Service (DoS)
2024-06-14 16:52:39
Cross-Site Request Forgery
2023-11-09 07:07:08
nessus
nessus
SUSE SLES12 Security Update : tomcat (SUSE-SU-2024:0206-1)
2024-01-25 00:00:00
RHEL 8 : tomcat (RHSA-2024:0532)
2024-01-29 00:00:00
AlmaLinux 8 : tomcat (ALSA-2024:0539)
2024-01-30 00:00:00
kaspersky
kaspersky
KLA62192 ACE vulnerability in Apache Tomcat
2023-11-13 00:00:00
KLA62193 ACE vulnerability in Apache Tomcat
2023-11-14 00:00:00
KLA62191 ACE vulnerability in Apache Tomcat
2023-11-15 00:00:00
f5
f5
K000137926 : Apache Tomcat vulnerability CVE-2023-46589
2023-12-18 00:00:00
almalinux
almalinux
Important: tomcat security update
2024-01-29 00:00:00
Important: tomcat security update
2024-03-05 00:00:00
atlassian
atlassian
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server
2024-01-17 06:46:32
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and Server
2023-12-14 07:45:15
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server
2024-01-11 06:46:14
debiancve
debiancve
CVE-2023-45857
2023-11-08 21:15:08
CVE-2023-46589
2023-11-28 16:15:06
CVE-2023-6481
2023-12-04 09:15:37
wolfi
wolfi
CVE-2023-45857 vulnerabilities
2024-07-03 09:08:38
CVE-2023-6378 vulnerabilities
2024-07-03 09:08:38
oraclelinux
oraclelinux
tomcat security update
2024-01-29 00:00:00
tomcat security update
2024-03-07 00:00:00
amazon
amazon
Medium: tomcat8
2024-01-19 01:19:00
prion
prion
Design/Logic Flaw
2023-11-08 21:15:00
Design/Logic Flaw
2023-12-04 09:15:00
Input validation
2023-11-28 16:15:00
rocky
rocky
tomcat security update
2024-02-12 20:16:50
gitlab
gitlab
Logback is vulnerable to an attacker mounting a Denial-Of-Service attack by sending poisoned data
2023-12-04 00:00:00
logback serialization vulnerability
2023-11-29 00:00:00
logback serialization vulnerability
2023-11-29 00:00:00
debian
debian
[SECURITY] [DLA 3707-1] tomcat9 security update
2024-01-05 09:40:41
[SECURITY] [DSA 5665-1] tomcat10 security update
2024-04-17 22:03:15
[SECURITY] [DSA 5667-1] tomcat9 security update
2024-04-19 20:06:14
redos
redos
ROS-20240405-12
2024-04-05 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2024-5.0-0215
2024-02-21 00:00:00
Important Photon OS Security Update - PHSA-2024-3.0-0732
2024-02-29 00:00:00
Important Photon OS Security Update - PHSA-2024-4.0-0574
2024-02-29 00:00:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.1%

JSON
Related for F5A066D51EC3D97F1F4070F7490532FB57397E705C313BFDE77A21018AFCC667
cve4ibm51cvelist4redhat12osv13cgr4githubexploit3ubuntucve4redhatcve4nvd4github4openvas10tomcat4veracode4nessus32kaspersky3f51almalinux2atlassian12debiancve4wolfi2oraclelinux2amazon1prion4rocky1gitlab3debian3redos1photon3