Lucene search

IbmCVELIST:CVE-2022-22472

HistoryJun 30, 2022 - 4:50 p.m.

CVE-2022-22472

2022-06-3016:50:27

ibm

www.cve.org

ibm spectrum protect plus

container backup and restore

remote attacker

bypass

access control restrictions

session information

unauthorized access

ibm x-force id

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C

AI Score

8.5

Confidence

High

EPSS

0.002

Percentile

55.2%

JSON

IBM Spectrum Protect Plus Container Backup and Restore (10.1.5 through 10.1.10.2 for Kubernetes and 10.1.7 through 10.1.10.2 for Red Hat OpenShift) could allow a remote attacker to bypass IBM Spectrum Protect Plus role based access control restrictions, caused by improper disclosure of session information. By retrieving the logs of a container an attacker could exploit this vulnerability to bypass login security of the IBM Spectrum Protect Plus server and gain unauthorized access based on the permissions of the IBM Spectrum Protect Plus user to the vulnerable Spectrum Protect Plus server software. IBM X-Force ID: 225340.

CNA Affected

[
  {
    "product": "Spectrum Protect Plus",
    "vendor": "IBM",
    "versions": [
      {
        "status": "affected",
        "version": "10.1.5"
      },
      {
        "status": "affected",
        "version": "10.1.7"
      },
      {
        "status": "affected",
        "version": "10.1.10.2"
      }
    ]
  }
]

References

exchange.xforce.ibmcloud.com/vulnerabilities/225340

www.ibm.com/support/pages/node/6596907