CVE-2020-4497 — Cleartext Transmission of Sensitive Info in IBM Spectrum Protect Plus

CWE-319 — Cleartext Transmission of Sensitive Info5 documents5 sources

Severity

5.9MEDIUMNVD

CNA6.8

EPSS

0.1%

top 70.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Spectrum Protect Plus

Timeline

PublishedDec 14

Latest updateDec 15

Description

IBM Spectrum Protect Plus 10.1.0 through 10.1.12 discloses sensitive information due to unencrypted data being used in the communication flow between Spectrum Protect Plus vSnap and its agents. An attacker could obtain information using main in the middle techniques. IBM X-Force ID: 182106.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5ibm/spectrum_protect_plus10.1.0 — 10.1.12

▶NVDibm/spectrum_protect_plus10.1.0 — 10.1.13

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-m376-rjrp-x9hg: IBM Spectrum Protect Plus 10↗2022-12-15

▶

CVEList

IBM Spectrum Protect Plus information disclosure↗2022-12-14

▶

💥Exploits & PoCs

Exploit-DB

CompleteFTP Professional 12.1.3 - Remote Code Execution↗2020-07-09

▶

💬Community

Bugzilla

CVE-2019-7637 SDL: heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c↗2019-02-14

▶