CVE-2022-22487 — Improper Restriction of Excessive Authentication Attempts in IBM Spectrum Protect Server

CWE-307 — Improper Restriction of Excessive Authentication Attempts CWE-287 — Improper Authentication3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 49.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Spectrum Protect Server

Timeline

PublishedJun 30

Latest updateJul 1

Description

An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the storage agent without locking the administrative ID. A remote attacker could exploit this vulnerability using brute force techniques to gain unauthorized administrative access to both the IBM Spectrum Protect storage agent and the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 with which it communicates. IBM X-Force ID: 226326.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDibm/spectrum_protect_server8.1.0.000 — 8.1.14

▶CVEListV5ibm/spectrum_protect_server8.1.0.000, 8.1.14+1

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-556c-92hj-fwg6: An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the sto↗2022-07-01

▶

CVEList

CVE-2022-22487: An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the sto↗2022-06-30

▶