Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable unauthorized privilege escalation due to Spring Security (CVE-2022-31690)

2023-01-1010:39:55

www.ibm.com

ibm sterling partner engagement manager

spring security

vulnerability

privilege escalation

cve-2022-31690

risk mitigation

patch

fix management

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

65.2%

JSON

Summary

IBM Sterling Partner Engagement Manager has addressed a vulnerablity in Spring Security that allows a remote attacker to gain elevated privileges on the system.

Vulnerability Details

CVEID:CVE-2022-31690
**DESCRIPTION:**VMware Tanzu Spring Security could allow a remote attacker to gain elevated privileges on the system. By modifying a request initiated by the Client (via the browser) to the Authorization Server, an attacker could exploit this vulnerability to gain elevated privileges on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239738 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Partner Engagement Manager	6.1.2, 6.2.0, 6.2.1

Remediation/Fixes

Product	Version	Remediation
IBM Sterling Partner Engagement Manager Essentials Edition	6.1.2.7	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.1.2.7&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition	6.1.2.7	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.1.2.7&source=SAR
IBM Sterling Partner Engagement Manager Essentials Edition	6.2.0.5	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.0.5&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition	6.2.0.5	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.0.5&source=SAR
IBM Sterling Partner Engagement Manager Essentials Edition	6.2.1.2	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.1.2&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition	6.2.1.2	https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.1.2&source=SAR

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmulti-enterprise_integration_gatewayMatch6.1

ibmmulti-enterprise_integration_gatewayMatch6.2

ibmmulti-enterprise_integration_gatewayMatch6.2.1

CPENameOperatorVersion
multi-enterprise relationship managementeq6.1
multi-enterprise relationship managementeq6.2
multi-enterprise relationship managementeq6.2.1