CVE-2021-29872

CWE-1163 documents3 sources
Severity
5.4MEDIUM
EPSS
0.1%
top 83.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM Cloud PAK FOR Automation
Timeline
PublishedJan 18
Latest updateJan 19

Description

IBM Cloud Pak for Automation 21.0.1 and 21.0.2 - Business Automation Studio Component is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 206228.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5ibm/cloud_pak_for_automation21.0.1, 21.0.2+1
NVDibm/cloud_pak< 21.0.2+3

Patches

Patch: www.ibm.comPatch: www.ibm.com

🔴Vulnerability Details

2
GHSA
GHSA-4556-grwq-3p9h: IBM Cloud Pak for Automation 212022-01-19
CVEList
CVE-2021-29872: IBM Cloud Pak for Automation 212022-01-18
CVE-2021-29872 (MEDIUM CVSS 5.4) | IBM Cloud Pak for Automation 21.0.1 | cvebase.io