Lucene search

IBM6F22332C1C67A32482D2466F43152F3771D3B9884C76A9884F71A8A50888D6A4

HistoryDec 20, 2022 - 8:14 p.m.

Security Bulletin: Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component

2022-12-2020:14:33

www.ibm.com

ibm security verify governance

identity manager

virtual appliance

fixed

vulnerabilities

cve-2022-22457

cve-2022-22449

cve-2022-22456

cve-2022-22458

plain clear text

cross-site scripting

sensitive information

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

39.3%

JSON

Summary

IBM Security Verify Governance, Identity Manager virtual appliance component has addressed the following vulnerabilities

Vulnerability Details

CVEID:CVE-2022-22457
**DESCRIPTION:**IBM Security Verify Governance stores sensitive information including user credentials in plain clear text which can be read by a local privileged user.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225007 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)

CVEID:CVE-2022-22449
**DESCRIPTION:**IBM Security Verify Identity Manager could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224915 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2022-22456
**DESCRIPTION:**IBM Security Verify Governance is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225004 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2022-22458
**DESCRIPTION:**IBM Security Verify Governance stores user credentials in plain clear text which can be read by a remote authenticated user.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225009 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Verify Governance, Identity Manager virtual appliance component	10.0.1

Remediation/Fixes

Affected Product(s)	Version(s)	Fix Availability
IBM Security Verify Governance, Identity Manager virtual appliance component	10.0.1.0

10.0.1.0-ISS-ISVG-IMVA-FP0003

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsecurity_identity_managerMatch10.0.1

CPENameOperatorVersion
ibm security identity managereq10.0.1

CPE	Name	Operator	Version
	ibm security identity manager	eq	10.0.1

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

39.3%

JSON

Related for 6F22332C1C67A32482D2466F43152F3771D3B9884C76A9884F71A8A50888D6A4