Summary IBM Business Automation Workflow packages a vulnerable copy of jjwt. Vulnerability Details ** CVEID: CVE-2024-31033 DESCRIPTION: **An unspecified error with ignoring certain characters in jwtk JJWT (aka Java JWT) has an unknown impact and attack vector. CVSS Base score: 6.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286924 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) Affected Products and Versions Affected Product(s)| Version(s)| Status —|—|— IBM Business Automation Workflow containers| V23.0.2 – V23.0.2-IF004 V23.0.1 all fixes V22.0.2 all fixes V22.0.1 all fixes V21.0.3 – V21.0.3-IF032 V21.0.2 all fixes V20.0.0.2 all fixes V20.0.0.1 all fixes | affected IBM Business Automation Workflow traditional| V23.0.1 – V23.0.2 V22.0.1 – V22.0.2 V21.0.1 – V21.0.3.1 V20.0.0.1 – V20.0.0.2 V19.0.0.1 – V19.0.0.3| affected IBM Business Automation Workflow Enterprise Service Bus| V23.0.1 – V23.0.2 V22.0.2| affected For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product. Remediation/Fixes The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT378426 as soon as practical. Affected Product(s)| Version(s)| Remediation / Fix —|—|— IBM Business Automation Workflow containers| V23.0.2| Apply 23.0.2-IF005 IBM Business Automation Workflow containers| V21.0.3| Apply 21.0.3-IF033 or upgrade…Read More