There are multiple vulnerabilities in IBM Sterling External Authentication Server detected by internal scans. IBM Sterling External Authentication Server has addressed the applicable vulnerabilities.
CVEID:CVE-2022-22333
**DESCRIPTION:**IBM Sterling Secure Proxy and IBM Sterling External Authentication Server are vulnerable a buffer overflow, due to the Jetty based GUI in the Secure Zone not properly validating the sizes of the form content and/or HTTP headers submitted. A local attacker positioned inside the Secure Zone could submit a specially crafted HTTP request to disrupt service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219133 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-22349
**DESCRIPTION:**IBM Sterling External Authentication Server is vulnerable to path traversals, due to not properly validating RESTAPI configuration data. An authorized user could import invalid data which could be used for an attack.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220144 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Sterling External Authentication Server | 6.0.3 |
IBM Sterling External Authentication Server | 6.0.2 |
IBM Sterling External Authentication Server | 3.4.3.2 |
Product | Version | iFix | Remediation Location |
---|---|---|---|
IBM Sterling External Authentication Server | 6.0.3.0 | iFix 2 | Fix Central |
IBM Sterling External Authentication Server | 6.0.2.0 | iFix 5 | Fix Central |
IBM Sterling External Authentication Server | 3.4.3.2 | iFix 14 | Fix Central |
None