IBM2CFDD541EC278BB9830E3BEED22609CAEA322A3E4A49AC42DB89BD1128E44605Security Bulletin: Multiple Vulnerabilities in IBM Security Guardium Key Lifecycle Manager
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
35.2%
Summary
There are multiple vulnerabilities identified in IBM Security Guardium Key Lifecycle Manager. These vulnerabilties have been fixed in IBM Security Guardium Key Lifecycle Manager v4.2.0.2. Please apply the latest fix packs for the fixes.
Vulnerability Details
CVEID:CVE-2023-47704
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager contains plain text hard-coded credentials or other secrets in source code repository.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271220 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-47705
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager could allow an authenticated user to manipulate username data due to improper input validation.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271228 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-47706
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager could allow an authenticated user to upload files of a dangerous file type.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271341 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2023-47702
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing “dot dot” sequences (/…/) to view modify files on the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271196 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-47703
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271197 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-47707
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271522 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Security Guardium Key Lifecycle Manager | 4.2 |
Remediation/Fixes
| Product(s) | Remediation / Fix |
|---|---|
| IBM Security Guardium Key Lifecycle Manager | Please apply GKLM 4.2 fixpack 2. It can be downloaded from following location - 4.2.0-ISS-GKLM-FP0002 |
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | security_guardium_key_lifecycle_manager | 4.2 | cpe:2.3:a:ibm:security_guardium_key_lifecycle_manager:4.2:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
35.2%