Analysis Summary

CVE-2022-43915 CVSS:6.8

IBM App Connect Enterprise Certified Container 5.0, 7.1, 7.2, 8.0, 8.1, 8.2, 9.0, 9.1, 9.2, 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 12.0, and 12.1 does not limit calls to unshare in running Pods. This can allow a user with access to execute commands in a running Pod to elevate their user privileges., caused by an unspecified flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2024-35151 CVSS:6.5

IBM OpenPages with Watson 8.3 and 9.0 could allow authenticated users access to sensitive information through improper authorization controls on APIs.

CVE-2024-39744 CVSS:4.3

IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

CVE-2024-39746 CVSS:5.9

IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.

CVE-2024-39745 CVSS:5.9

IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information

Impact

• Information Disclosure
• Gain Access

Indicators of Compromise

CVE

• CVE-2022-43915
• CVE-2024-35151
• CVE-2024-39744
• CVE-2024-39746
• CVE-2024-39745

Affected Vendors

Remediation

Refer to IBM Security Advisory for patch, upgrade or suggested workaround information.

CVE-2022-43915

CVE-2024-35151

CVE-2024-39744

CVE-2024-39746

CVE-2024-39745