Lucene search

IbmCVELIST:CVE-2023-25681

HistoryMar 05, 2024 - 7:42 p.m.

CVE-2023-25681 IBM Spectrum Virtualize security bypass

2024-03-0519:42:01

CWE-308

ibm

www.cve.org

ibm spectrum virtualize

security bypass

ldap

multifactor authentication

cim interface

username and password

local users

remote users

single sign-on

ibm x-force id

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

5.5

Confidence

High

EPSS

Percentile

9.0%

JSON

LDAP users on IBM Spectrum Virtualize 8.5 which are configured to require multifactor authentication can still authenticate to the CIM interface using only username and password. This does not affect local users with MFA configured or remote users authenticating via single sign-on. IBM X-Force ID: 247033.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Spectrum Virtualize",
    "vendor": "IBM",
    "versions": [
      {
        "status": "affected",
        "version": "8.5"
      }
    ]
  }
]

References

exchange.xforce.ibmcloud.com/vulnerabilities/247033

www.ibm.com/support/pages/node/6962203

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

5.5

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2023-25681