CVE-2022-22331 — Authorization Bypass Through User-Controlled Key in IBM Sterlingpartner Engagement Manager

CWE-639 — Authorization Bypass Through User-Controlled Key CWE-668 — Resource Exposure3 documents3 sources

Severity

7.1HIGHNVD

EPSS

0.1%

top 70.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Sterlingpartner Engagement Manager IBM Partner Engagement Manager

Timeline

PublishedApr 1

Latest updateApr 2

Description

IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 219130.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

▶CVEListV5ibm/sterlingpartner_engagement_manager6.2.0

▶NVDibm/partner_engagement_manager6.2.0

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-4m3m-pj87-8xhf: IBM SterlingPartner Engagement Manager 6↗2022-04-02

▶

CVEList

CVE-2022-22331: IBM SterlingPartner Engagement Manager 6↗2022-04-01

▶