Improper Authentication in IBM Spectrum Scale

#VU66133 Improper Authentication in IBM Spectrum Scale

Published: 2022-08-05

Vulnerability identifier: #VU66133

Vulnerability risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22411

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM Spectrum Scale
Client/Desktop applications / File managers, FTP clients

Vendor: IBM Corporation

Description

The vulnerability allows a remote user to bypass authentication process.

The vulnerability exists due to service account token configured with risky permission. A remote user can bypass authentication process and gain unauthorized access to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM Spectrum Scale: 5.1.3.1

External links
http://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-spectrum-scale-data-access-services-das-where-service-account-token-configured-with-risky-permission-cve-2022-22411/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Authentication in IBM Spectrum Scale Data Access Services (DAS)