CVE-2020-4499

IBM Security Access Manager 9.0.7 and IBM Security Verify Access 10.0.0 could allow an unauthorized public Oauth client to bypass some or all of the authentication checks and gain access to applications. IBM X-Force ID: 182216.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/182216	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6348046	Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/182216	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6348046	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:security_access_manager::::::::
	cpe:2.3:a:ibm:security_verify_access::::::::

History

21 Nov 2024, 05:32

Type	Values Removed	Values Added
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/182216 - VDB Entry, Vendor Advisory~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/182216 - VDB Entry, Vendor Advisory
References	~~() https://www.ibm.com/support/pages/node/6348046 - Patch, Vendor Advisory~~	() https://www.ibm.com/support/pages/node/6348046 - Patch, Vendor Advisory

Information

Published : 2020-10-15 13:15

Updated : 2024-11-21 05:32

NVD link : CVE-2020-4499

Mitre link : CVE-2020-4499

CVE.ORG link : CVE-2020-4499

JSON object : View

Products Affected

ibm

security_verify_access
security_access_manager

CWE

NVD-CWE-noinfo

{"id": "CVE-2020-4499", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-10-15T13:15:12.913", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/182216", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/6348046", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/182216", "tags": ["VDB Entry", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.ibm.com/support/pages/node/6348046", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "IBM Security Access Manager 9.0.7 and IBM Security Verify Access 10.0.0 could allow an unauthorized public Oauth client to bypass some or all of the authentication checks and gain access to applications. IBM X-Force ID: 182216."}, {"lang": "es", "value": "IBM Security Access Manager versi\u00f3n 9.0.7 e IBM Security Verify Access versi\u00f3n 10.0.0, podr\u00edan permitir a un cliente Oauth p\u00fablico no autorizado omitir algunas o todas las comprobaciones de autenticaci\u00f3n y conseguir acceso a las aplicaciones. IBM X-Force ID: 182216"}], "lastModified": "2024-11-21T05:32:49.257", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:security_access_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58BFDCF5-D32F-4C5D-8F1C-75932843157F", "versionEndExcluding": "9.0.7.2", "versionStartIncluding": "9.0.7.0"}, {"criteria": "cpe:2.3:a:ibm:security_verify_access:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A6EA022-9E98-4AEB-9B98-8BC6061141EE", "versionEndExcluding": "10.0.0.1", "versionStartIncluding": "10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}