Insufficiently protected credentials in IBM Spectrum Protect Plus



Published: 2023-03-23
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2023-27863
CWE-ID CWE-522
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
IBM Spectrum Protect Plus
Server applications / Other server solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Insufficiently protected credentials

EUVDB-ID: #VU73998

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-27863

CWE-ID: CWE-522 - Insufficiently Protected Credentials

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to IBM Spectrum Protect Plus for Db2 and Oracle with transport encryption enabled can expose SMB credentials to access vSnap data stores. A remote privileged user can obtain SMB credentials that may be used to access vSnap data stores.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

IBM Spectrum Protect Plus: 10.1.0.0 - 10.1.13.1

External links

http://www.ibm.com/support/pages/node/6965812


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###