IBM3F36A0EB400EF78B35BE069EAB4A9067A8AC269C02EF1F9C70F2D9036972D1F7Security Bulletin: IBM Jazz for Service Management is vulnerable to Apache Derby security bypass [CVE-2022-46337]
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
62.2%
Summary
Apache Derby database is used by IBM Jazz for Service Management to store dashboards data. [CVE-2022-46337] This bulletin identifies the steps to take to address the vulnerability.
Vulnerability Details
CVEID:CVE-2022-46337
**DESCRIPTION:**Apache Derby could allow a remote attacker to bypass security restrictions, caused by a LDAP injection vulnerability in authenticator. By sending a specially crafted request, an attacker could exploit this vulnerability to view and corrupt sensitive data and run sensitive database functions and procedures.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271915 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Jazz for Service Management | 1.1.3.0 to 1.1.3.20 |
Remediation/Fixes
| Affected JazzSM Version | Recommended Fix. |
|---|---|
| Jazz for Service Management versions - 1.1.3.0 to 1.1.3.20 |
Install JazzSM 1.1.3.21 - 1.1.3-TIV-JazzSM-multi-FP021
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | jazz_for_service_management | 1.1.3 | cpe:2.3:a:ibm:jazz_for_service_management:1.1.3:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
62.2%