github - ghsa-6hmj-wm73-g83p

ghsa-6hmj-wm73-g83p

Vulnerability from github

Published

2024-02-29 03:33

Modified

2024-02-29 03:33

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

IBM Cloud Pak Foundational Services Identity Provider (idP) API (IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2) allows CRUD Operations with an invalid token. This could allow an unauthenticated attacker to view, update, delete or create an IdP configuration. IBM X-Force ID: 261130.

Show details on source website

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-38367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-29T02:15:09Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak Foundational Services Identity Provider (idP) API (IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2) allows CRUD Operations with an invalid token. This could allow an unauthenticated attacker to view, update, delete or create an IdP configuration.  IBM X-Force ID:  261130.",
  "id": "GHSA-6hmj-wm73-g83p",
  "modified": "2024-02-29T03:33:18Z",
  "published": "2024-02-29T03:33:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38367"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/261130"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7015271"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2023-38367

Vulnerability from cvelistv5

Published

2024-02-29 02:13

Modified

2025-03-27 14:58

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

IBM Cloud Pak for Automation authentication bypass

References

▼	URL	Tags
	https://www.ibm.com/support/pages/node/7015271	vendor-advisory
	https://exchange.xforce.ibmcloud.com/vulnerabilities/261130	vdb-entry

Impacted products

▼	Vendor	Product
	IBM	Cloud Pak for Automation

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.0:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.1:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.2:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.1:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.2:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.2:-:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:21.0.2:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:21.0.3:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:22.0.1:*:*:*:*:*:*:*",
              "cpe:2.3:a:ibm:cloud_pak_for_automation:22.0.2:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "cloud_pak_for_automation",
            "vendor": "ibm",
            "versions": [
              {
                "status": "affected",
                "version": "18.0.0"
              },
              {
                "status": "affected",
                "version": "18.0.1"
              },
              {
                "status": "affected",
                "version": "18.0.2"
              },
              {
                "status": "affected",
                "version": "19.0.1"
              },
              {
                "status": "affected",
                "version": "19.0.2"
              },
              {
                "status": "affected",
                "version": "19.0.3"
              },
              {
                "status": "affected",
                "version": "20.0.1"
              },
              {
                "status": "affected",
                "version": "20.0.2"
              },
              {
                "status": "affected",
                "version": "20.0.3"
              },
              {
                "status": "affected",
                "version": "21.0.1"
              },
              {
                "status": "affected",
                "version": "21.0.2"
              },
              {
                "status": "affected",
                "version": "21.0.3"
              },
              {
                "status": "affected",
                "version": "22.0.1"
              },
              {
                "status": "affected",
                "version": "22.0.2"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-38367",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-01T16:19:47.030118Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-287",
                "description": "CWE-287 Improper Authentication",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T14:58:22.035Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T17:39:12.997Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/7015271"
          },
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/261130"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud Pak for Automation",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, 22.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Cloud Pak Foundational Services Identity Provider (idP) API (IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2) allows CRUD Operations with an invalid token. This could allow an unauthenticated attacker to view, update, delete or create an IdP configuration.  IBM X-Force ID:  261130."
            }
          ],
          "value": "IBM Cloud Pak Foundational Services Identity Provider (idP) API (IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2) allows CRUD Operations with an invalid token. This could allow an unauthenticated attacker to view, update, delete or create an IdP configuration.  IBM X-Force ID:  261130."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CVE-287 Improper Authentication",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-29T02:13:16.103Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/7015271"
        },
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/261130"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Cloud Pak for Automation authentication bypass",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2023-38367",
    "datePublished": "2024-02-29T02:13:16.103Z",
    "dateReserved": "2023-07-16T00:53:13.214Z",
    "dateUpdated": "2025-03-27T14:58:22.035Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.