Incorrect use of privileged APIs in IBM Cloud Pak for Security (CP4S)



Published: 2023-05-25
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2023-30993
CWE-ID CWE-648
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Cloud Pak for Security (CP4S)
Client/Desktop applications / Other client software

Vendor IBM Corporation

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Incorrect Use of Privileged APIs

EUVDB-ID: #VU76511

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-30993

CWE-ID: CWE-648 - Incorrect Use of Privileged APIs

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the incorrect use of privileged APIs. A remote attacker can with a valid API key for one tenant can trigger the vulnerability to access data from another tenant's account.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Cloud Pak for Security (CP4S): before 1.10.0.0

External links

http://www.ibm.com/support/pages/node/6995221


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###