Multiple vulnerabilities in IBM App Connect Enterprise and IBM Integration Bus for z/OS
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-50310 CVE-2023-50311 |
| CWE-ID | CWE-522 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
IBM App Connect Enterprise Universal components / Libraries / Software for developers Integration Bus for z/OS Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Insufficiently protected credentials
EUVDB-ID: #VU88898
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-50310
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to gain access to other users' credentials.
The vulnerability exists due to IBM CICS Transaction Gateway transmits or stores authentication credentials using insecure method that is susceptible to unauthorized interception and/or retrieval. A remote privileged user can view contents of the configuration file and gain access to passwords for 3rd party integration.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM App Connect Enterprise: before 12.0.12.3
Integration Bus for z/OS : before 10.1.0.3
CPE2.3http://www.ibm.com/support/pages/node/7158081
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Insufficiently protected credentials
EUVDB-ID: #VU88899
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-50311
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to gain access to other users' credentials.
The vulnerability exists due to IBM CICS Transaction Gateway transmits or stores authentication credentials using insecure method that is susceptible to unauthorized interception and/or retrieval. A remote privileged user can view contents of the configuration file and gain access to passwords for 3rd party integration.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM App Connect Enterprise: before 12.0.12.3
Integration Bus for z/OS : before 10.1.0.3
CPE2.3http://www.ibm.com/support/pages/node/7158081
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
