CVE-2023-47741 - OpenCVE

IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web browser clients may leave clear-text passwords in browser memory that can be viewed using common browser tools before the memory is garbage collected. A malicious actor with access to the victim's PC could exploit this vulnerability to gain access to the IBM i operating system. IBM X-Force ID: 272532.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Ibm	I Db2 Mirror For I

Configuration 1 [-]

OR	cpe:2.3:a:ibm:db2_mirror_for_i:7.4:::::::*
	cpe:2.3:a:ibm:db2_mirror_for_i:7.5:::::::*
	cpe:2.3:a:ibm:i:7.3:::::::*
	cpe:2.3:a:ibm:i:7.4:::::::*
	cpe:2.3:a:ibm:i:7.5:::::::*

References

Link	Resource
https://www.ibm.com/support/pages/node/7097785	Patch Vendor Advisory
https://www.ibm.com/support/pages/node/7097801	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2023-12-18T19:09:58.816Z

Updated: 2023-12-18T19:09:58.816Z

Reserved: 2023-11-09T11:31:41.192Z

Link: CVE-2023-47741

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-18T20:15:08.213

Modified: 2023-12-22T18:40:58.353

Link: CVE-2023-47741

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-47741", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2023-11-09T11:31:41.192Z", "datePublished": "2023-12-18T19:09:58.816Z", "dateUpdated": "2023-12-18T19:09:58.816Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "i", "vendor": "IBM", "versions": [{"status": "affected", "version": "7.3, 7.4, 7.5"}]}, {"defaultStatus": "unaffected", "product": "Db2 Mirror for i", "vendor": "IBM", "versions": [{"status": "affected", "version": "7.4, 7.5"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web browser clients may leave clear-text passwords in browser memory that can be viewed using common browser tools before the memory is garbage collected. A malicious actor with access to the victim's PC could exploit this vulnerability to gain access to the IBM i operating system. IBM X-Force ID: 272532.</span>\n\n"}], "value": "\nIBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web browser clients may leave clear-text passwords in browser memory that can be viewed using common browser tools before the memory is garbage collected. A malicious actor with access to the victim's PC could exploit this vulnerability to gain access to the IBM i operating system. IBM X-Force ID: 272532.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "525 Information Exposure Through Browser Caching", "lang": "en"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2023-12-18T19:09:58.816Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.ibm.com/support/pages/node/7097785"}, {"tags": ["vendor-advisory"], "url": "https://www.ibm.com/support/pages/node/7097801"}], "source": {"discovery": "UNKNOWN"}, "title": "IBM i information disclosure", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:db2_mirror_for_i:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "6D81F028-D6CF-41BD-95A8-C6676C307E8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:db2_mirror_for_i:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "37C5BD86-7FB3-445C-95F5-F3D7CE2C597A", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:i:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "DD4F4919-D935-4B81-B4E8-0E0F2DAC09B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:i:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "AE2B298C-E1F6-43BD-A5EF-83964C6669CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:i:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "88B74622-BDB2-43AE-A91F-FADEC4B64B4F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nIBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web browser clients may leave clear-text passwords in browser memory that can be viewed using common browser tools before the memory is garbage collected. A malicious actor with access to the victim's PC could exploit this vulnerability to gain access to the IBM i operating system. IBM X-Force ID: 272532.\n\n"}, {"lang": "es", "value": "Los clientes de navegador web IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror para i 7.4 y 7.5 pueden dejar contrase\u00f1as de texto plano en la memoria del navegador que se pueden ver usando herramientas comunes del navegador antes de que la memoria sea recolectada como basura. Un actor malintencionado con acceso al PC de la v\u00edctima podr\u00eda aprovechar esta vulnerabilidad para obtener acceso al sistema operativo IBM i. IBM X-Force: 272532."}], "id": "CVE-2023-47741", "lastModified": "2023-12-22T18:40:58.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 4.0, "source": "psirt@us.ibm.com", "type": "Secondary"}]}, "published": "2023-12-18T20:15:08.213", "references": [{"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7097785"}, {"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7097801"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}