SB2022062107 - Incorrect authorization in IBM DataPower Operator
Published: June 21, 2022 Updated: September 18, 2022
Security Bulletin ID
SB2022062107
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Incorrect authorization (CVE-ID: CVE-2022-23773)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists within cmd/go, which can misinterpret branch names that falsely appear to be version tags. This can lead to a situation where an attacker can bypass implemented security restrictions and perform restricted actions, e.g. create tags when access was granted to create branches only.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-affected-by-flaw-in-go-cve-2022-23773/"
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-affected-by-flaw-in-go-cve-2022-23773/</a><br><a
- https://www.ibm.com/support/pages/node/6596965"
- https://www.ibm.com/support/pages/node/6596965</a><br><br><br></p>