CVE-2022-22485 — Improper Restriction of Excessive Authentication Attempts in IBM Spectrum Protect Operations Center

CWE-307 — Improper Restriction of Excessive Authentication Attempts CWE-287 — Improper Authentication3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.2%

top 60.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Spectrum Protect Operations Center IBM Spectrum Protect Server

Timeline

PublishedJun 17

Latest updateJun 18

Description

In some cases, an unsuccessful attempt to log into IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.14.000 does not cause the administrator's invalid sign-on count to be incremented on the IBM Spectrum Protect Server. An attacker could exploit this vulnerability using brute force techniques to gain unauthorized administrative access to the IBM Spectrum Protect Server. IBM X-Force ID: 226325.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDibm/spectrum_protect_operations_center8.1.0.000 — 8.1.14.000

▶CVEListV5ibm/spectrum_protect_server8.1.0.000, 8.1.14.000+1

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-36gp-vh35-q2p5: In some cases, an unsuccessful attempt to log into IBM Spectrum Protect Operations Center 8↗2022-06-18

▶

CVEList

CVE-2022-22485: In some cases, an unsuccessful attempt to log into IBM Spectrum Protect Operations Center 8↗2022-06-17

▶