CVE-2019-4142

Vulnerability

IBM Cloud Private versions 2.1.0, 3.1.0, 3.1.1, and 3.1.2 contain a cross-site request forgery (CSRF) vulnerability in the Platform-UI component. The vulnerability allows an attacker to trick an authenticated user into executing unintended actions, as the application does not properly validate or enforce CSRF tokens [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious web page or link that, when visited by an authenticated IBM Cloud Private user, triggers unauthorized requests to the Platform-UI. The attacker does not need authentication but relies on user interaction (e.g., clicking a link) and the user's active session. The attack is network-based with low complexity [1].

Impact

Successful exploitation enables the attacker to perform actions with the victim's privileges, such as modifying configuration or executing operations that the user is authorized to perform. The confidentiality impact is none, integrity impact is low, and availability impact is none, per CVSS vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) [1].

Mitigation

IBM has released patches for the affected versions. For 3.1.2 and 3.1.1, apply the platform-ui patch. For 2.1.x and 3.1.0, upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2. Alternatively, contact IBM support for assistance [1].