IBM Support

Security Bulletin: IBM Data Studio Web Console is vulnerable to cross-site request forgery, caused by improper validation of browser request headers.

Flashes (Alerts)


Abstract

A service in the IBM Data Studio Web Console versions 3.1.0 and 3.1.1 is impacted by cross-site request forgery. By persuading an authenticated user to visit a malicious web site, a remote attacker could exploit this vulnerability to obtain sensitive information.

Content

VULNERABILITY DETAILS
CVE ID: CVE-2013-2980

DESCRIPTION:

This is possible only after a user has logged in to the console successfully and also visits a malicious web site. This malicious browser client-side code may be able to trick the user into retrieving sensitive monitored database information (such as health status, job execution failures etc.).

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84113 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

AFFECTED PRODUCTS :

IBM Data Studio Web Console 3.1.0 and 3.1.1 on all supported operating systems.

REMEDIATION:

Fix(es):
Upgrade to IBM Data Studio Web Console 3.2 -http://www.ibm.com/developerworks/downloads/im/data/

Mitigation:
None

Workaround(s):
None

REFERENCES:

· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database (84113)
· CVE-2013-2980

RELATED INFORMATION:

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Program


CHANGE HISTORY:

14 June 2013: Original publication

[{"Product":{"code":"SS62YD","label":"IBM Data Studio"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Web Console","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"3.1;3.1.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21638733