CVE-2021-29872
First published: Mon Jan 17 2022(Updated: )
IBM Cloud Pak for Automation 21.0.1 and 21.0.2 - Business Automation Studio Component is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 206228.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cloud Pak for Automation | <21.0.2 | |
| IBM Cloud Pak for Automation | =21.0.2 | |
| IBM Cloud Pak for Automation | =21.0.2-interim_fix001 | |
| IBM Cloud Pak for Automation | =21.0.2-interim_fix002 | |
| IBM Cloud Pak for Automation | =21.0.2-interim_fix003 | |
| IBM Cloud Pak for Automation | =21.0.2-interim_fix004 | |
| IBM Cloud Pak for Automation | =21.0.2-interim_fix005 | |
| IBM Cloud Pak for Automation | =21.0.2-interim_fix006 | |
| IBM Cloud Pak for Automation | <21.0.1 | |
| IBM Cloud Pak for Automation | =21.0.1 | |
| IBM Cloud Pak for Automation | =21.0.1-interim_fix001 | |
| IBM Cloud Pak for Automation | =21.0.1-interim_fix002 | |
| IBM Cloud Pak for Automation | =21.0.1-interim_fix003 | |
| IBM Cloud Pak for Automation | =21.0.1-interim_fix004 | |
| IBM Cloud Pak for Automation | =21.0.1-interim_fix005 | |
| IBM Cloud Pak for Automation | =21.0.1-interim_fix006 | |
| <=21.0.1 before IF00721.0.2 before IF007 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-29872?
CVE-2021-29872 is a vulnerability in IBM Cloud Pak for Automation version 21.0.1 and 21.0.2 Business Automation Studio component that allows remote attackers to inject HTTP headers.
How severe is CVE-2021-29872?
CVE-2021-29872 has a severity rating of 5.4, which is considered medium.
How can I fix CVE-2021-29872?
To fix CVE-2021-29872, update to IBM Cloud Pak for Automation version 21.0.1 IF00721.0.2 IF007 or later.
What is HTTP header injection?
HTTP header injection is a vulnerability that allows an attacker to manipulate or inject malicious headers in an HTTP request or response.
Where can I find more information about CVE-2021-29872?
For more information about CVE-2021-29872, you can visit the IBM X-Force Exchange or the IBM support page provided in the references.
- collector/nvd-index
- agent/references
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- vendor/ibm
- canonical/ibm cloud pak for automation
- version/ibm cloud pak for automation/21.0.2
- version/ibm cloud pak for automation/21.0.2-interim_fix001
- version/ibm cloud pak for automation/21.0.2-interim_fix002
- version/ibm cloud pak for automation/21.0.2-interim_fix003
- version/ibm cloud pak for automation/21.0.2-interim_fix004
- version/ibm cloud pak for automation/21.0.2-interim_fix005
- version/ibm cloud pak for automation/21.0.2-interim_fix006
- version/ibm cloud pak for automation/21.0.1
- version/ibm cloud pak for automation/21.0.1-interim_fix001
- version/ibm cloud pak for automation/21.0.1-interim_fix002
- version/ibm cloud pak for automation/21.0.1-interim_fix003
- version/ibm cloud pak for automation/21.0.1-interim_fix004
- version/ibm cloud pak for automation/21.0.1-interim_fix005
- version/ibm cloud pak for automation/21.0.1-interim_fix006
- version/ibm cloud pak for automation/21.0.1 before if00721.0.2 before if007