Lucene search

IBM5010E74E7B5E5A0168C11852A92C6B1495A79D41F8B5C5603D4BB715AF51650E

HistoryJan 10, 2023 - 10:53 a.m.

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to security bypass due to Spring Security (CVE-2022-31692)

2023-01-1010:53:26

www.ibm.com

ibm sterling partner engagement manager

spring security

vulnerability

cve-2022-31692

security bypass

remote attacker

authorization rules

patch

essentials edition

standard edition

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

48.4%

JSON

Summary

IBM Sterling Partner Engagement Manager has addressed a vulnerablity in Spring Security.

Vulnerability Details

CVEID:CVE-2022-31692
**DESCRIPTION:**VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a flaw when using forward or include dispatcher types. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization rules.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239162 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
Partner Engagement Manager	6.1.2, 6.2.0, 6.2.1

Remediation/Fixes

Product	Version	Remediation
IBM Sterling Partner Engagement Manager Essentials Edition	6.1.2.7	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.1.2.7&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition	6.1.2.7	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.1.2.7&source=SAR
IBM Sterling Partner Engagement Manager Essentials Edition	6.2.0.5	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.0.5&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition	6.2.0.5	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.0.5&source=SAR
IBM Sterling Partner Engagement Manager Essentials Edition	6.2.1.2	http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.1.2&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition	6.2.1.2	https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.1.2&source=SAR

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmulti-enterprise_integration_gatewayMatch6.1

ibmmulti-enterprise_integration_gatewayMatch6.2

ibmmulti-enterprise_integration_gatewayMatch6.2.1

VendorProductVersionCPE
ibmmulti-enterprise_integration_gateway6.1cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.1:*:*:*:*:*:*:*
ibmmulti-enterprise_integration_gateway6.2cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2:*:*:*:*:*:*:*
ibmmulti-enterprise_integration_gateway6.2.1cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	multi-enterprise_integration_gateway	6.1	cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.1:::::::*
ibm	multi-enterprise_integration_gateway	6.2	cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2:::::::*
ibm	multi-enterprise_integration_gateway	6.2.1	cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2.1:::::::*