Description
IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to insufficiently protected credentials for users created via a bulk upload. IBM X-Force ID: 228888.
Affected Software
Related
{"id": "CVE-2022-33169", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-33169", "description": "IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to insufficiently protected credentials for users created via a bulk upload. IBM X-Force ID: 228888.", "published": "2022-08-01T11:15:00", "modified": "2022-08-05T03:33:00", "epss": [{"cve": "CVE-2022-33169", "epss": 0.00049, "percentile": 0.16359, "modified": "2023-06-03"}], "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.0}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33169", "reporter": "psirt@us.ibm.com", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/228888", "https://www.ibm.com/support/pages/node/6608454"], "cvelist": ["CVE-2022-33169"], "immutableFields": [], "lastseen": "2023-06-03T14:43:59", "viewCount": 28, "enchantments": {"twitter": {"counter": 2, "tweets": [{"link": "https://twitter.com/ThreatFeed/status/1555200903854321664", "text": "CVE-2022-33169 https://t.co/ASFWqrhIpG", "author": "ThreatFeed", "author_photo": "https://abs.twimg.com/sticky/default_profile_images/default_profile_400x400.png"}]}, "score": {"value": 5.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "ibm", "idList": ["17F7AA8475FFB73538F74532FA61882558E8C70D9132B5893BD4137C60DCA3ED"]}]}, "affected_software": {"major_version": [{"name": "ibm robotic process automation", "version": 21}]}, "epss": [{"cve": "CVE-2022-33169", "epss": 0.00049, "percentile": 0.16345, "modified": "2023-05-02"}], "vulnersScore": 5.1}, "_state": {"twitter": 0, "score": 1685803694, "dependencies": 1685832767, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "e3e4e2e48e98b2f646d31560d62620ce"}, "cna_cvss": {"cna": "IBM Corporation", "cvss": {"3": {"vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "score": 5.3}}}, "cpe": ["cpe:/a:ibm:robotic_process_automation:21.0.3"], "cpe23": ["cpe:2.3:a:ibm:robotic_process_automation:21.0.3:*:*:*:*:*:*:*"], "cwe": ["CWE-522"], "affectedSoftware": [{"cpeName": "ibm:robotic_process_automation", "version": "21.0.3", "operator": "le", "name": "ibm robotic process automation"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:ibm:robotic_process_automation:21.0.3:*:*:*:*:*:*:*", "versionStartIncluding": "21.0.0", "versionEndIncluding": "21.0.3", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228888", "name": "ibm-rpa-cve202233169-sec-bypass (228888)", "refsource": "XF", "tags": ["VDB Entry", "Vendor Advisory"]}, {"url": "https://www.ibm.com/support/pages/node/6608454", "name": "https://www.ibm.com/support/pages/node/6608454", "refsource": "CONFIRM", "tags": ["Vendor Advisory"]}], "product_info": [{"vendor": "IBM", "product": "Robotic Process Automation"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"description": "Bypass Security", "lang": "en", "type": "text"}]}], "exploits": [], "assigned": "1976-01-01T00:00:00"}
{"prion": [{"lastseen": "2023-08-15T18:00:49", "description": "IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to insufficiently protected credentials for users created via a bulk upload. IBM X-Force ID: 228888.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-01T11:15:00", "type": "prion", "title": "CVE-2022-33169", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-33169"], "modified": "2022-08-05T03:33:00", "id": "PRION:CVE-2022-33169", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-33169", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "ibm": [{"lastseen": "2023-06-03T17:44:56", "description": "## Summary\n\nSecurity Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected credential for users created via bulk upload (CVE-2022-33169)\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-33169](<https://vulners.com/cve/CVE-2022-33169>) \n** DESCRIPTION: **IBM Robotic Process Automation is vulnerable to insufficiently protected credentials for users created via a bulk upload. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/228888](<https://exchange.xforce.ibmcloud.com/vulnerabilities/228888>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Robotic Process Automation| < 21.0.3 \nIBM Robotic Process Automation for Cloud Pak| < 21.0.3 \nIBM Robotic Process Automation as a Service| All \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now.**\n\n**Product(s)**| **Version(s) \n**| **Remediation/Fix/Instructions** \n---|---|--- \nIBM Robotic Process Automation| < 21.0.3| \n\nDownload and install 21.0.3 \n \nIBM Robotic Process Auotmation for Cloud Pak| < 21.0.3| Download and Install 21.0.3 \nIBM Robotic Process Automation as a Service| All| No action required as IBM Robotic Process Automation as a Service servers have been updated to 21.0.3 or higher. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-29T16:04:39", "type": "ibm", "title": "Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected credential for users created via bulk upload (CVE-2022-33169)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-33169"], "modified": "2022-07-29T16:04:39", "id": "17F7AA8475FFB73538F74532FA61882558E8C70D9132B5893BD4137C60DCA3ED", "href": "https://www.ibm.com/support/pages/node/6608454", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}]}
CVE-2022-33169
