Weak password requirements in IBM Data Risk Manager - CVE-2020-4429
Published: April 22, 2020 / Updated: May 5, 2020
Vulnerability identifier: #VU27085
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2020-4429
CWE-ID: CWE-521
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: IBM Corporation
Affected software:
IBM Data Risk Manager
IBM Data Risk Manager
Detailed vulnerability description
The vulnerability allows an attacker to gain unauthorized access to the application.
The vulnerability exists due to application is using default credentials of "a3user:idrm" for user with access to SSH and sudo commands and does not require obligatory password change for this account upon first login.A remote attacker can abuse this account to gain unauthorized access to the application.
Note, despite the case being described in the IBM documentation this is a security vulnerability that should be addresses by forcing users to change default passwords rather than writing about it in manuals.
How to mitigate CVE-2020-4429
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.