IBM Application Gateway Vulnerability Advisory: CSRF, Kerberos Token, and Permission Issues

Critical Vulnerability Information Vulnerability Overview CVE IDs: CVE-2023-5455, CVE-2024-37370, CVE-2024-45655 Affected Product: IBM Application Gateway Version Range: 9.12 - 24.09 Vulnerability Details CVE-2023-5455 Description: FreeIPA contains a Cross-Site Request Forgery (CSRF) vulnerability due to improper validation of user input. Attackers can exploit this by tricking authorized users into visiting malicious websites, thereby sending malicious HTTP requests to perform unauthorized actions. CWE: CWE-352: Cross-Site Request Forgery (CSRF) CVSS Base Score: 6.5 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) CVE-2024-37370 Description: In MIT Kerberos 5 (aka krb5) versions prior to 1.21.3, attackers can modify the plaintext Extra Count field of confidential GSS krb5 wrap tokens, causing the unwrapped token to appear truncated. CWE: CWE-345: Insufficient Verification of Data Authenticity CVSS Base Score: 5.3 CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H) CVE-2024-45655 Description: IBM Application Gateway allows local privileged users to perform unauthorized operations due to incorrect permission assignments. CWE: CWE-732: Incorrect Permission Assignment for Critical Resource CVSS Base Score: 5.3 CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N) Affected Products and Versions Affected Product: IBM Application Gateway Versions: 9.12 - 24.09 Mitigation / Fix Recommendation: IBM strongly recommends customers upgrade to the latest software version. IBM Verify Identity Access version 24.12.0 resolves these vulnerabilities and can be downloaded along with instructions for IBM Application Gateway Containers. Workarounds and Mitigations Workarounds and Mitigations: None References Complete CVSS v3 Guide Online Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog

Goal Reached Thanks to every supporter — we hit 100%!

IBM Application Gateway Vulnerability Advisory: CSRF, Kerberos Token, and Permission Issues