CVE-2024-22356 — Improper Output Neutralization for Logs in IBM APP Connect Enterprise

CWE-117 — Improper Output Neutralization for Logs CWE-116 — Improper Encoding or Escaping of Output3 documents3 sources

Severity

4.9MEDIUMNVD

EPSS

0.1%

top 81.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM APP Connect Enterprise IBM Integration BUS

Timeline

PublishedMar 26

Description

IBM App Connect Enterprise 11.0.0.1 through 11.0.0.23, 12.0.1.0 through 12.0.9.0 and IBM Integration Bus for z/OS 10.1 through 10.1.0.2store potentially sensitive information in log or trace files that could be read by a privileged user. IBM X-Force ID: 280893.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages4 packages

▶NVDibm/app_connect_enterprise11.0.0.1 — 11.0.0.24+1

▶CVEListV5ibm/app_connect_enterprise11.0.0.1 — 11.0.0.23+1

▶NVDibm/integration_bus10.1 — 10.1.0.3

▶CVEListV5ibm/integration_bus10.1 — 10.1.0.2

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

CVEList

IBM App Connect Enterprise and IBM Integration Bus for z/OS information disclosure↗2024-03-26

▶

GHSA

GHSA-7chf-chrh-74q7: IBM App Connect Enterprise 11↗2024-03-26

▶