Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
5 vulnerabilities found for Storage Protect Client by IBM
CVE-2026-12628 (GCVE-0-2026-12628)
Vulnerability from cvelistv5 – Published: 2026-06-22 13:43 – Updated: 2026-06-25 03:55
VLAI
Title
Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system
Summary
IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7277245 | vendor-advisorypatch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Storage Protect Client |
Affected:
8.1.0.0 , ≤ 8.2.1.0
(semver)
cpe:2.3:a:ibm:storage_protect_client:8.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_protect_client:8.2.1.0:*:*:*:*:*:*:* |
|
| IBM | Storage Protect Snapshot For Windows |
Affected:
8.1.0.0 , ≤ 8.2.1.0
(semver)
cpe:2.3:a:ibm:storage_protect_snapshot_for_windows:8.1.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:storage_protect_snapshot_for_windows:8.2.1.0:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T03:55:25.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:storage_protect_client:8.1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_protect_client:8.2.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Storage Protect Client",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.2.1.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:storage_protect_snapshot_for_windows:8.1.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:storage_protect_snapshot_for_windows:8.2.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Storage Protect Snapshot For Windows",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.2.1.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The vulnerability was reported to IBM by P\u00e9tur Ey\u00fe\u00f3rsson and Cristie Nordic."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources.\u003c/p\u003e"
}
],
"value": "IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager (FCM) authentication mechanism. The application contains a static credential embedded in multiple authentication code paths, and does not properly validate authentication responses, which may allow an unauthenticated attacker to establish a trusted session and access protected services. This vulnerability affects client components across multiple versions and may allow an attacker to impersonate legitimate clients, potentially leading to unauthorized access to system resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T18:52:31.455Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7277245"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now.\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eProduct\u003c/td\u003e\u003ctd\u003eFixing level\u003c/td\u003e\u003ctd\u003ePlatforms\u003c/td\u003e\u003ctd\u003eLink to fix and instructions\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Storage Protect Backup-Archive Client\u003c/td\u003e\u003ctd\u003e8.2.1.1\u003c/td\u003e\u003ctd\u003eWindows\u0026nbsp;\u003c/td\u003e\u003ctd\u003e\u003ca href=\"https://www.ibm.com/support/pages/node/7267111\" rel=\"nofollow\"\u003ehttps://www.ibm.com/support/pages/node/7267111\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003eCurrently, the vulnerability has been addressed on the Windows platform through an iFix release.\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eA hardcoded password present in the source code of IBM Storage Protect Snapshot For Windows, which led to a security vulnerability, has been resolved in this release.\u003c/p\u003e\u003cp\u003eFor other platforms (AIX, HP-UX, Linux, Macintosh, and Solaris), the hardcoded password still exists in the code; however, it is not actively used and is only identified during static code scans. This issue has been assessed as low severity, and separate PVRs have been created to track it.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now.\n\nProductFixing levelPlatformsLink to fix and instructionsIBM Storage Protect Backup-Archive Client8.2.1.1Windows\u00a0 https://www.ibm.com/support/pages/node/7267111 \n\n\n\nCurrently, the vulnerability has been addressed on the Windows platform through an iFix release.\n\n\n\n\n\nA hardcoded password present in the source code of IBM Storage Protect Snapshot For Windows, which led to a security vulnerability, has been resolved in this release.\n\n\n\nFor other platforms (AIX, HP-UX, Linux, Macintosh, and Solaris), the hardcoded password still exists in the code; however, it is not actively used and is only identified during static code scans. This issue has been assessed as low severity, and separate PVRs have been created to track it."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe remaining PVRs for other platforms are classified with a low severity score and will be addressed in an upcoming release.\u003c/div\u003e"
}
],
"value": "The remaining PVRs for other platforms are classified with a low severity score and will be addressed in an upcoming release."
}
],
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-12628",
"datePublished": "2026-06-22T13:43:33.351Z",
"dateReserved": "2026-06-18T15:18:16.795Z",
"dateUpdated": "2026-06-25T03:55:25.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-35897 (GCVE-0-2023-35897)
Vulnerability from cvelistv5 – Published: 2023-10-06 13:06 – Updated: 2024-09-19 16:04
VLAI
Title
IBM Spectrum Protect code execution
Summary
IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-Force ID: 259246.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7037299 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Storage Protect Client |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(semver)
|
|
| IBM | Storage Protect for Virtual Environments |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(semver)
|
|
| ibm | storage_protect_client |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(custom)
cpe:2.3:a:ibm:storage_protect_client:*:*:*:*:*:*:*:* |
|
| ibm | storage_protect |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(custom)
cpe:2.3:a:ibm:storage_protect:*:*:*:*:virtual_environments\:_data_protection_for_hyper-v:*:*:* |
|
| ibm | storage_protect |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(custom)
cpe:2.3:a:ibm:storage_protect:*:*:*:*:virtual_environments\:_data_protection_for_vmware:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:37:40.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7037299"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/259246"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:storage_protect_client:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "storage_protect_client",
"vendor": "ibm",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:storage_protect:*:*:*:*:virtual_environments\\:_data_protection_for_hyper-v:*:*:*"
],
"defaultStatus": "unknown",
"product": "storage_protect",
"vendor": "ibm",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:storage_protect:*:*:*:*:virtual_environments\\:_data_protection_for_vmware:*:*:*"
],
"defaultStatus": "unknown",
"product": "storage_protect",
"vendor": "ibm",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T15:59:21.561364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T16:04:33.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Storage Protect Client",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Storage Protect for Virtual Environments",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-Force ID: 259246."
}
],
"value": "IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-Force ID: 259246."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T13:06:34.570Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7037299"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/259246"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Spectrum Protect code execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-35897",
"datePublished": "2023-10-06T13:06:34.570Z",
"dateReserved": "2023-06-20T02:24:14.840Z",
"dateUpdated": "2024-09-19T16:04:33.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40368 (GCVE-0-2023-40368)
Vulnerability from cvelistv5 – Published: 2023-09-20 18:43 – Updated: 2024-09-24 15:31
VLAI
Title
IBM Storage Protect information disclosure
Summary
IBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged user to obtain sensitive information from the administrative command line client. IBM X-Force ID: 263456.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7034288 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Storage Protect Client |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(semver)
|
|
| IBM | Storage Protect for Space Management |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(semver)
|
|
| IBM | Storage Protect for Virtual Environments |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:31:53.904Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7034288"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/263456"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T15:30:54.290275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T15:31:05.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Storage Protect Client",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Storage Protect for Space Management",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Storage Protect for Virtual Environments",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged user to obtain sensitive information from the administrative command line client. IBM X-Force ID: 263456."
}
],
"value": "IBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged user to obtain sensitive information from the administrative command line client. IBM X-Force ID: 263456."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-20T18:43:43.601Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7034288"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/263456"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Storage Protect information disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-40368",
"datePublished": "2023-09-20T18:43:43.601Z",
"dateReserved": "2023-08-14T20:12:04.115Z",
"dateUpdated": "2024-09-24T15:31:05.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35897 (GCVE-0-2023-35897)
Vulnerability from nvd – Published: 2023-10-06 13:06 – Updated: 2024-09-19 16:04
VLAI
Title
IBM Spectrum Protect code execution
Summary
IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-Force ID: 259246.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7037299 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Storage Protect Client |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(semver)
|
|
| IBM | Storage Protect for Virtual Environments |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(semver)
|
|
| ibm | storage_protect_client |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(custom)
cpe:2.3:a:ibm:storage_protect_client:*:*:*:*:*:*:*:* |
|
| ibm | storage_protect |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(custom)
cpe:2.3:a:ibm:storage_protect:*:*:*:*:virtual_environments\:_data_protection_for_hyper-v:*:*:* |
|
| ibm | storage_protect |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(custom)
cpe:2.3:a:ibm:storage_protect:*:*:*:*:virtual_environments\:_data_protection_for_vmware:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:37:40.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7037299"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/259246"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:storage_protect_client:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "storage_protect_client",
"vendor": "ibm",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:storage_protect:*:*:*:*:virtual_environments\\:_data_protection_for_hyper-v:*:*:*"
],
"defaultStatus": "unknown",
"product": "storage_protect",
"vendor": "ibm",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:storage_protect:*:*:*:*:virtual_environments\\:_data_protection_for_vmware:*:*:*"
],
"defaultStatus": "unknown",
"product": "storage_protect",
"vendor": "ibm",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T15:59:21.561364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T16:04:33.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Storage Protect Client",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Storage Protect for Virtual Environments",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-Force ID: 259246."
}
],
"value": "IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-Force ID: 259246."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T13:06:34.570Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7037299"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/259246"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Spectrum Protect code execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-35897",
"datePublished": "2023-10-06T13:06:34.570Z",
"dateReserved": "2023-06-20T02:24:14.840Z",
"dateUpdated": "2024-09-19T16:04:33.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40368 (GCVE-0-2023-40368)
Vulnerability from nvd – Published: 2023-09-20 18:43 – Updated: 2024-09-24 15:31
VLAI
Title
IBM Storage Protect information disclosure
Summary
IBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged user to obtain sensitive information from the administrative command line client. IBM X-Force ID: 263456.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7034288 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Storage Protect Client |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(semver)
|
|
| IBM | Storage Protect for Space Management |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(semver)
|
|
| IBM | Storage Protect for Virtual Environments |
Affected:
8.1.0.0 , ≤ 8.1.19.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:31:53.904Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7034288"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/263456"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T15:30:54.290275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T15:31:05.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Storage Protect Client",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Storage Protect for Space Management",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Storage Protect for Virtual Environments",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "8.1.19.0",
"status": "affected",
"version": "8.1.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged user to obtain sensitive information from the administrative command line client. IBM X-Force ID: 263456."
}
],
"value": "IBM Storage Protect 8.1.0.0 through 8.1.19.0 could allow a privileged user to obtain sensitive information from the administrative command line client. IBM X-Force ID: 263456."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-20T18:43:43.601Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7034288"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/263456"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Storage Protect information disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-40368",
"datePublished": "2023-09-20T18:43:43.601Z",
"dateReserved": "2023-08-14T20:12:04.115Z",
"dateUpdated": "2024-09-24T15:31:05.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}