Multiple vulnerabilities in IBM Maximo Asset Management

Published: 2024-01-16

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2020-7692 CVE-2021-22573
CWE-ID	CWE-863 CWE-347
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	IBM Maximo Asset Management Server applications / Other server solutions
Vendor	IBM Corporation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Incorrect authorization

EUVDB-ID: #VU72076

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7692

CWE-ID: CWE-863 - Incorrect Authorization

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to missing support for PKCE. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Maximo Asset Management: before 7.6.1.3.13

External links

http://www.ibm.com/support/pages/node/7107714

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Verification of Cryptographic Signature

EUVDB-ID: #VU64471

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22573

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature