IBM94114E77209124B66B3BBF2946BA61AD9B63CDDBD83A2CE651E0A3603170472BSecurity Bulletin: IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041)
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
64.7%
Summary
IBM Security Guardium has addressed these vulnerabilities.
Vulnerability Details
CVEID:CVE-2023-0041
**DESCRIPTION:**IBM Security Guardium could allow a user to take over another user’s session due to insufficient session expiration.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243657 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2023-22809
**DESCRIPTION:**Sudo could allow a local authenticated attacker to gain elevated privileges on the system, caused by mishandling extra arguments passed in the user-provided environment variables. By appending arbitrary entries to the list of files to process, an attacker could exploit this vulnerability to achieve privilege escalation.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245036 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2019-12490
**DESCRIPTION:**Simple Machines Forum (SMF) could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to obtain credentials.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175609 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Security Guardium | 11.3 |
| IBM Security Guardium | 11.4 |
| IBM Security Guardium | 11.5 |
Remediation/Fixes
IBM encourages customers to update their systems promptly.
| Product | Versions | ** Fix** |
|---|---|---|
| IBM Security Guardium | 11.3 |
IBM Security Guardium| 11.4| https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p475_Bundle_Jul-20-2023&includeSupersedes=0&source=fc
IBM Security Guardium| 11.5| | http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=11.0&platform=Linux&function=fixId&fixids=SqlGuard_11.0p525_Bundle_May-18-2023&includeSupersedes=0&source=fc
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm security guardium | eq | 11.3 | |
| ibm security guardium | eq | 11.4 | |
| ibm security guardium | eq | 11.5 |
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
64.7%