HTTP Header Injection Vulnerability in IBM Cloud Pak for Automation
CVE-2021-29872

5.4MEDIUM

Key Information:

Vendor: IBM
Status: Cloud Pak For Automation
Vendor: CVE Published:; 18 January 2022

Summary

The IBM Cloud Pak for Automation versions 21.0.1 and 21.0.2 contain a vulnerability that allows improper validation of HTTP HOST headers. A remote attacker can exploit this weakness by sending a crafted HTTP request, which may lead to severe consequences such as cross-site scripting (XSS), cache poisoning, or session hijacking. It is essential for organizations utilizing these versions to take immediate action to secure their systems against potential exploitation.

Affected Version(s)

Cloud Pak for Automation 21.0.1

Cloud Pak for Automation 21.0.2

References

https://www.ibm.com/support/pages/node/6541294

x_refsource_CONFIRM

https://exchange.xforce.ibmcloud.com/vulnerabilities/206228

vdb-entryx_refsource_XF

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 18, 2022
Vulnerability Reserved
Mar 31, 2021