CVE-2021-20424

Vulnerability

IBM Cloud Pak for Applications version 4.3 and possibly earlier versions are affected by an information disclosure vulnerability [1]. The flaw occurs when the application returns a detailed technical error message in the browser, which may expose implementation details [1]. No authentication or special configuration is required beyond reaching an endpoint that triggers such an error [1].

Exploitation

An authenticated remote attacker can exploit this by crafting requests that cause the application to return verbose error messages [1]. The attacker does not need elevated privileges, only valid user credentials for the affected system [1]. The vulnerable code path is reachable through standard HTTP interactions [1].

Impact

Successful exploitation allows the attacker to obtain sensitive information about the application's implementation [1]. This could include file paths, version numbers, or other technical details that can be leveraged in subsequent attacks [1]. The confidentiality impact is low, as disclosed information is limited to what is included in error messages [1].

Mitigation

IBM has released version 4.3.1 of IBM Cloud Pak for Applications which updates error handling to prevent disclosure of implementation details [1]. Users should upgrade to this version. No workarounds are provided [1].