9.8

CVE-2020-4427

Warnung
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IbmData Risk Manager Version >= 2.0.1 <= 2.0.6.1

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

IBM Data Risk Manager Security Bypass Vulnerability

Schwachstelle

IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 70.03% 0.993
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 9 8 10
AV:N/AC:L/Au:S/C:C/I:C/A:C
psirt@us.ibm.com 9 2.2 6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://exchange.xforce.ibmcloud.com/vulnerabilities/180532
Vendor Advisory
VDB Entry
https://www.ibm.com/support/pages/node/6206875
Patch
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-4427
US Government Resource
http://seclists.org/fulldisclosure/2024/Nov/0
Third Party Advisory
Mailing List
http://seclists.org/fulldisclosure/2024/Nov/1
Third Party Advisory
Mailing List