cnvd - cnvd-2022-54648

cnvd-2022-54648

Vulnerability from cnvd

Title: IBM Curam Social Program Management会话固定漏洞

Description:

IBM Curam Social Program Management是美国IBM公司的一种业务和技术解决方案，可在动态可配置架构之上提供预构建的健康和社交计划组件、业务流程、工具集和界面。

IBM Curam Social Program Management存在会话固定漏洞，该漏洞源于程序在注销后会话未能正确失效，经过身份验证的攻击者可利用该漏洞冒充系统上的其他用户。

Severity: 中

Patch Name: IBM Curam Social Program Management会话固定漏洞的补丁

Patch Description:

IBM Curam Social Program Management存在会话固定漏洞，该漏洞源于程序在注销后会话未能正确失效，经过身份验证的攻击者可利用该漏洞冒充系统上的其他用户。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://www.ibm.com/support/pages/node/6596049

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-22318

Impacted products

Name
['IBM Curam Social Program Management 8.0.1', 'IBM Curam Social Program Management 8.0.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-22318",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-22318"
    }
  },
  "description": "IBM Curam Social Program Management\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u79cd\u4e1a\u52a1\u548c\u6280\u672f\u89e3\u51b3\u65b9\u6848\uff0c\u53ef\u5728\u52a8\u6001\u53ef\u914d\u7f6e\u67b6\u6784\u4e4b\u4e0a\u63d0\u4f9b\u9884\u6784\u5efa\u7684\u5065\u5eb7\u548c\u793e\u4ea4\u8ba1\u5212\u7ec4\u4ef6\u3001\u4e1a\u52a1\u6d41\u7a0b\u3001\u5de5\u5177\u96c6\u548c\u754c\u9762\u3002\n\nIBM Curam Social Program Management\u5b58\u5728\u4f1a\u8bdd\u56fa\u5b9a\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5728\u6ce8\u9500\u540e\u4f1a\u8bdd\u672a\u80fd\u6b63\u786e\u5931\u6548\uff0c\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5192\u5145\u7cfb\u7edf\u4e0a\u7684\u5176\u4ed6\u7528\u6237\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.ibm.com/support/pages/node/6596049",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-54648",
  "openTime": "2022-08-02",
  "patchDescription": "IBM Curam Social Program Management\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u79cd\u4e1a\u52a1\u548c\u6280\u672f\u89e3\u51b3\u65b9\u6848\uff0c\u53ef\u5728\u52a8\u6001\u53ef\u914d\u7f6e\u67b6\u6784\u4e4b\u4e0a\u63d0\u4f9b\u9884\u6784\u5efa\u7684\u5065\u5eb7\u548c\u793e\u4ea4\u8ba1\u5212\u7ec4\u4ef6\u3001\u4e1a\u52a1\u6d41\u7a0b\u3001\u5de5\u5177\u96c6\u548c\u754c\u9762\u3002\r\n\r\nIBM Curam Social Program Management\u5b58\u5728\u4f1a\u8bdd\u56fa\u5b9a\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u5728\u6ce8\u9500\u540e\u4f1a\u8bdd\u672a\u80fd\u6b63\u786e\u5931\u6548\uff0c\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5192\u5145\u7cfb\u7edf\u4e0a\u7684\u5176\u4ed6\u7528\u6237\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Curam Social Program Management\u4f1a\u8bdd\u56fa\u5b9a\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM Curam Social Program Management 8.0.1",
      "IBM Curam Social Program Management 8.0.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-22318",
  "serverity": "\u4e2d",
  "submitTime": "2022-06-22",
  "title": "IBM Curam Social Program Management\u4f1a\u8bdd\u56fa\u5b9a\u6f0f\u6d1e"
}

CVE-2022-22318 (GCVE-0-2022-22318)

Vulnerability from cvelistv5

Published

2022-06-20 16:25

Modified

2024-09-16 22:25

Severity ?

5.9 (Medium) - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C

CWE

Gain Privileges

Summary

IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

References

▼	URL	Tags
	https://www.ibm.com/support/pages/node/6596049	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilities/218283	vdb-entry, x_refsource_XF

Impacted products

	Vendor	Product	Version
	IBM	Curam Social Program Management	Version: 8.0.0 Version: 8.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:07:50.287Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/6596049"
          },
          {
            "name": "ibm-curam-cve202222318-session-fixation (218283)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218283"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Curam Social Program Management",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "8.0.0"
            },
            {
              "status": "affected",
              "version": "8.0.1"
            }
          ]
        }
      ],
      "datePublic": "2022-06-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 5.2,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/PR:N/AV:L/A:L/I:L/S:U/AC:L/UI:N/C:L/E:U/RL:O/RC:C",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Gain Privileges",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-20T16:25:16",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.ibm.com/support/pages/node/6596049"
        },
        {
          "name": "ibm-curam-cve202222318-session-fixation (218283)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218283"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "DATE_PUBLIC": "2022-06-17T00:00:00",
          "ID": "CVE-2022-22318",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Curam Social Program Management",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "8.0.0"
                          },
                          {
                            "version_value": "8.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IBM"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system."
            }
          ]
        },
        "impact": {
          "cvssv3": {
            "BM": {
              "A": "L",
              "AC": "L",
              "AV": "L",
              "C": "L",
              "I": "L",
              "PR": "N",
              "S": "U",
              "UI": "N"
            },
            "TM": {
              "E": "U",
              "RC": "C",
              "RL": "O"
            }
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Gain Privileges"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ibm.com/support/pages/node/6596049",
              "refsource": "CONFIRM",
              "title": "IBM Security Bulletin 6596049 (Curam Social Program Management)",
              "url": "https://www.ibm.com/support/pages/node/6596049"
            },
            {
              "name": "ibm-curam-cve202222318-session-fixation (218283)",
              "refsource": "XF",
              "title": "X-Force Vulnerability Report",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218283"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2022-22318",
    "datePublished": "2022-06-20T16:25:16.509209Z",
    "dateReserved": "2022-01-03T00:00:00",
    "dateUpdated": "2024-09-16T22:25:40.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted