9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.0%
Security Vulnerablities have been addressed in IBM Common Licensing. In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. A fix is available to address the vulnerability.
CVEID:CVE-2022-22978
**DESCRIPTION:**Spring Security could allow a remote attacker to bypass security restrictions, caused by a flaw in the RegexRequestMatcher component. By misconfiguring RegexRequestMatcher with .
in the regular expression, an attacker could exploit this vulnerability to bypass authorization and obtain access.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226989 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
**IBM X-Force ID:**220811
**DESCRIPTION:**Spring Security could allow a remote attacker to obtain sensitive information, caused by a breach attack vulnerability. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain CSRF tokens, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220811 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Common Licensing | Agent 9.0 |
IBM Common Licensing | ART 9.0 |
IBM strongly recommends addressing the vulnerability now by upgrading and applying the suggested fix that uses upgraded version of FasterXML.
Apply IBM_LKS_Administration_And_Reporting_Tool_And_Agent_90_iFix6 from Fix Central.
None
CPE | Name | Operator | Version |
---|---|---|---|
rational license key server | eq | 9.0 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.0%