CVE-2020-4496 — Improper Certificate Validation in IBM Spectrum Protect Plus

CWE-295 — Improper Certificate Validation4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.1%

top 73.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Spectrum Protect Plus

Timeline

PublishedDec 13

Latest updateDec 14

Description

The IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x server connection to an IBM Spectrum Protect Plus workload agent is subject to a man-in-the-middle attack due to improper certificate validation. IBM X-Force ID: 182046.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶NVDibm/spectrum_protect_plus10.1.0 — 10.1.8.1

▶CVEListV5ibm/spectrum_protect_plus10.1.0.0, 10.1.8.0+1

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-xwhx-6g69-79wc: The IBM Spectrum Protect Plus 10↗2021-12-14

▶

CVEList

CVE-2020-4496: The IBM Spectrum Protect Plus 10↗2021-12-13

▶

💬Community

Bugzilla

CVE-2019-7574 SDL: heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c↗2019-02-13

▶