Vulnerability CVE-2022-41292

Vulnerability Name:

CVE-2022-41292 (CCN-236805)

Assigned:

2022-10-11

Published:

2022-10-11

Updated:

2022-10-11

Summary:

IBM Robotic Process Automation 21.0.0, 21.0.1, 21.0.2, and 21.0.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 236805.

CVSS v3 Severity:

5.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
4.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2022-41292

Source: XF
Type: UNKNOWN
ibm-rpa-cve202241292-header-injection(236805)

Source: CCN
Type: IBM Security Bulletin 6828535 (Robotic Process Automation)
IBM Robotic Process Automation is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.

Vulnerable Configuration:

Configuration CCN 1:

cpe:/a:ibm:robotic_process_automation:21.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation:21.0.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK