Rewterz Threat Advisory – Multiple IBM Security Verify Governance, Identity Manager Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2022-35646 CVSS:5.9

IBM Security Verify Governance, Identity Manager 10.0.1 software component could allow an authenticated user to modify or cancel any other user’s access request using man-in-the-middle techniques. 

CVE-2022-22461 CVSS:5.9

IBM Security Verify Governance, Identity Manager 10.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

CVE-2022-22449 CVSS:5.3

IBM Security Verify Governance, Identity Manager 10.01 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

CVE-2022-22458 CVSS:6.3

IBM Security Verify Governance, Identity Manager 10.0.1 stores user credentials in plain clear text which can be read by a remote authenticated user. 

CVE-2022-22456 CVSS:4.2

IBM Security Verify Governance, Identity Manager 10.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVE-2022-22457 CVSS:5.3

IBM Security Verify Governance, Identity Manager 10.0.1 stores sensitive information including user credentials in plain clear text which can be read by a local privileged user.

Impact

• Security Bypass
• Information Disclosure
• Cross-Site Scripting

Indicators Of Compromise

CVE

• CVE-2022-35646
• CVE-2022-22461
• CVE-2022-22449
• CVE-2022-22458
• CVE-2022-22456
• CVE-2022-22457

Affected Vendors

IBM

Affected Products

• IBM Security Verify Governance 10.0.1

Remediation

Refer to IBM Security Advisory for patch, upgrade or suggested workaround information. 

IBM Security Advisory