Several vulnerabilities have been addressed in IBM Security Directory Server, IBM Security Directory Suite, and IBM Security Verify Directory products.
CVEID:CVE-2022-33164
**DESCRIPTION:**IBM Security Directory Server 7.2.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing “dot dot” sequences (/…/) to view or write to arbitrary files on the system. IBM X-Force ID: 228579.
CVSS Base score: 8.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228579 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H)
CVEID:CVE-2022-33161
**DESCRIPTION:**IBM Security Directory Server could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228569 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID:CVE-2022-32755
**DESCRIPTION:**IBM Security Directory Server is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228505 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H)
CVEID:CVE-2022-33168
**DESCRIPTION:**IBM Security Directory Suite VA 8.0.1 could allow an attacker to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 228588.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228588 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Security Directory Server | 6.4.0 |
IBM Security Directory Suite | 8.0.1 |
IBM Security Verify Directory | 10.0.0 |
IBM encourages customers to update their systems promptly.
For IBM Security Verify Directory 10.0 containers refer to the download links listed in the Images link.
Affected Products and Version | Fix Availability |
---|---|
IBM Security Verify Directory 10.0.0 | IBM Security Verify Directory, Version 10.0.1 - Download Document |
IBM Security Directory Suite 8.0.1 | IBM Security Directory Suite 8.0.1 Fixpack 21 |
IBM Security Directory Server 6.4.0 | IBM Security Directory Server 6.4.0 Interim Fix 28 |
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm security directory suite | eq | 8.0.1 | |
ibm security verify directory | eq | 10.0 | |
ibm security directory server | eq | 6.4.0 |