CVE-2020-4941

Vulnerability

IBM Edge version 4.2 contains an unexpected Content-Type vulnerability that causes the server to reveal sensitive version information in error pages [1]. The issue occurs when a request with an unexpected Content-Type header is sent, triggering an error response that includes internal version details. This information can be used by an attacker to tailor further attacks against the system.

Exploitation

An attacker with low privileges (CVSS PR:L) can send a crafted HTTP request with an unexpected Content-Type header to an IBM Edge 4.2 server [1]. No user interaction is required (UI:N). The server responds with an error page that inadvertently exposes version information, which the attacker can then collect and analyze.

Impact

Successful exploitation results in the disclosure of sensitive version information about the IBM Edge server (confidentiality impact: low) [1]. This information can aid an attacker in identifying specific vulnerabilities or misconfigurations, potentially enabling more targeted attacks. There is no impact on integrity or availability.

Mitigation

IBM has resolved this vulnerability in the latest docker images, which are automatically pulled and deployed from Docker Hub and the IBM Entitled Registry [1]. Users should ensure their IBM Edge 4.2 deployment is updated to the latest available images. No workarounds are available [1].