8.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
9.1%
There are multiple vulnerabilities identified in IBM Security Guardium Key Lifecycle Manager. These vulnerabilties have been fixed in IBM Security Guardium Key Lifecycle Manager v4.2 and v4.1.1.7. Please upgrade to GKLM v4.2 or apply the latest fix packs (4.1.1 FP 7) for the fixes.
CVEID:CVE-2023-25921
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
CVSS Base score: 8.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247620 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVEID:CVE-2023-25926
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager could allow a local privileged user to escalate their privileges to a higher level of access.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247633 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2023-25685
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247599 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H)
CVEID:CVE-2023-25922
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247621 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-25925
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.
CVSS Base score: 8.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247632 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Security Key Lifecycle Manager | 3.0 |
IBM Security Key Lifecycle Manager | 3.0.1 |
IBM Security Guardium Key Lifecycle Manager | 4.0 |
IBM Security Guardium Key Lifecycle Manager | 4.1 |
IBM Security Guardium Key Lifecycle Manager | 4.1.1 |
1. GKLM users (who are on GKLM version 3.0, 3.0.1, 4.0, 4.1) can either -
i. Upgrade to GKLM 4.1.1 and then apply 4.1.1-ISS-SKLM-FP0007
Or
ii. Upgrade to GKLMv4.2
2. GKLM users (who are on GKLM version 4.1.1.x) can either -
i. Apply 4.1.1-ISS-SKLM-FP0007
Or
ii. Upgrade to GKLMv4.2
3. New GKLM users can directly install GKLMv4.2
Product(s) | Remediation / Fix |
---|---|
IBM Security Guardium Key Lifecycle Manager | 4.1.1-ISS-SKLM-FP0007 |
IBM Security Guardium Key Lifecycle Manager - GKLMv4.2 | IBM Passport Advantage website |
None
8.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
9.1%