Vulnerability Name:

CVE-2023-28950 (CCN-251358)

Assigned:2023-05-10
Published:2023-05-10
Updated:2023-05-26
Summary:IBM MQ 8.0, 9.0, 9.1, 9.2, and 9.3 could disclose sensitive user information from a trace file if that functionality has been enabled. IBM X-Force ID: 251358.
CVSS v3 Severity:5.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
4.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
4.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CCN CVSS v2 Vector: AV:L/AC:H/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2023-28950

Source: XF
Type: UNKNOWN
ibm-mq-cve202328950-info-disc(251358)

Source: CCN
Type: IBM Security Bulletin 6985837 (MQ)
IBM MQ trace can inadvertently trace sensitive data (CVE-2023-28950)

Source: CCN
Type: IBM Security Bulletin 7000017 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use MQ Client nodes are vulnerable to disclosure of sensitive information due to [CVE-2023-28950]

Source: CCN
Type: IBM Security Bulletin 7011767 (App Connect Enterprise)
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-26285, CVE-2023-28950)

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:ibm:mq:8.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:app_connect:11.0.0.1:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm mq 8.0
    ibm app connect 11.0.0.1
    ibm app connect enterprise 12.0.1.0
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm app connect enterprise certified container 6.1
    ibm app connect enterprise certified container 6.2