Summary IBM MQ has addressed an issue in follow-redirects. Follow-redirects is used by IBM MQ as part of the MQ Console. Vulnerability Details CVEID: CVE-2023-26159 DESCRIPTION: follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 7.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278622 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) Affected Products and Versions Affected Product(s) | Version(s) —|— IBM MQ | 9.2 LTS IBM MQ | 9.3 LTS IBM MQ | 9.3 CD The following installable MQ components are affected by the vulnerability: – REST API and Console If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins Remediation/Fixes This issue was addressed under APAR IT45253 IBM MQ version 9.2 LTS Apply Cumulative Security Update 9.2.0.22 IBM MQ version 9.3 LTS Apply Cumulative Security Update 9.3.0.16 IBM MQ version 9.3 CD Upgrade to IBM MQ version 9.3.5 CD Workarounds and Mitigations…Read More
Security Bulletin: IBM MQ is vulnerable to an issue in follow-redirects due to open redirect (CVE-2023-26159)
