CVE-2021-38900 - OpenCVE

IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ibm	Business Automation Workflow Workflow Process Service Business Process Manager

Configuration 1 [-]

OR	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:::::::*
	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:::::::*
	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:::::::*
	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.0:::::::*
	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:::::::*
	cpe:2.3:a:ibm:business_automation_workflow:20.0.0.0:::::::*
	cpe:2.3:a:ibm:business_automation_workflow:21.0.0.0::::-:::
	cpe:2.3:a:ibm:business_process_manager:8.5.0.0:::::::*
	cpe:2.3:a:ibm:business_process_manager:8.6.0.0:-:::-:::*
	cpe:2.3:a:ibm:workflow_process_service:21.0.2:::::::*

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/209607	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6527776	Patch Vendor Advisory
https://www.ibm.com/support/pages/node/6528296	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2021-12-20T00:00:00

Updated: 2021-12-21T19:10:15

Reserved: 2021-08-16T00:00:00

Link: CVE-2021-38900

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-12-21T19:15:07.770

Modified: 2022-07-12T17:42:04.277

Link: CVE-2021-38900

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "Business Automation Workflow", "vendor": "IBM", "versions": [{"status": "affected", "version": "18.0.0.0"}, {"status": "affected", "version": "18.0.0.1"}, {"status": "affected", "version": "18.0.0.2"}, {"status": "affected", "version": "19.0.0.1"}, {"status": "affected", "version": "19.0.0.2"}, {"status": "affected", "version": "19.0.0.3"}, {"status": "affected", "version": "20.0.0.1"}, {"status": "affected", "version": "20.0.0.2"}, {"status": "affected", "version": "21.0.2"}]}, {"product": "Cloud Pak for Automation", "vendor": "IBM", "versions": [{"status": "affected", "version": "21.0.2"}]}], "datePublic": "2021-12-20T00:00:00", "descriptions": [{"lang": "en", "value": "IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 4.3, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/A:N/AV:N/AC:L/UI:N/S:U/C:H/PR:H/I:N/RC:C/E:U/RL:O", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Obtain Information", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-12-21T19:10:15", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/pages/node/6527776"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/pages/node/6528296"}, {"name": "ibm-baw-cve202138900-info-disc (209607)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209607"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2021-12-20T00:00:00", "ID": "CVE-2021-38900", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Business Automation Workflow", "version": {"version_data": [{"version_value": "18.0.0.0"}, {"version_value": "18.0.0.1"}, {"version_value": "18.0.0.2"}, {"version_value": "19.0.0.1"}, {"version_value": "19.0.0.2"}, {"version_value": "19.0.0.3"}, {"version_value": "20.0.0.1"}, {"version_value": "20.0.0.2"}, {"version_value": "21.0.2"}]}}, {"product_name": "Cloud Pak for Automation", "version": {"version_data": [{"version_value": "21.0.2"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607."}]}, "impact": {"cvssv3": {"BM": {"A": "N", "AC": "L", "AV": "N", "C": "H", "I": "N", "PR": "H", "S": "U", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Obtain Information"}]}]}, "references": {"reference_data": [{"name": "https://www.ibm.com/support/pages/node/6527776", "refsource": "CONFIRM", "title": "IBM Security Bulletin 6527776 (Business Automation Workflow)", "url": "https://www.ibm.com/support/pages/node/6527776"}, {"name": "https://www.ibm.com/support/pages/node/6528296", "refsource": "CONFIRM", "title": "IBM Security Bulletin 6528296 (Cloud Pak for Automation)", "url": "https://www.ibm.com/support/pages/node/6528296"}, {"name": "ibm-baw-cve202138900-info-disc (209607)", "refsource": "XF", "title": "X-Force Vulnerability Report", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209607"}]}}}}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2021-38900", "datePublished": "2021-12-20T00:00:00", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2021-12-21T19:10:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B1D36993-75D4-4EDE-8748-A3FDE4C69DF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "10B802CE-F898-4B60-9E2C-4D271F9211C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "FBD82AD2-FE98-4716-A60A-50554620A509", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_automation_workflow:19.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "90104525-6A11-4A42-8DD8-BFE267FCF306", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "5BC333C1-E9D6-42B0-AC11-2A98FDBFEF4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_automation_workflow:20.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "830D598E-6916-4170-946D-C04411077148", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_automation_workflow:21.0.0.0:*:*:*:-:*:*:*", "matchCriteriaId": "4716C07D-A372-47CC-BDE8-FEBBC8EDB919", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:8.5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "989C89DF-C6CB-45C9-9592-30A83896BD71", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:business_process_manager:8.6.0.0:-:*:*:-:*:*:*", "matchCriteriaId": "6DE7BCD3-C969-4248-B325-8EAAE9959797", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:workflow_process_service:21.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "6DBD44DD-45DA-4453-8C78-810565251FD8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation Workflow 18.0, 19.0, 20.0 and 21.0 could allow a privileged user to obtain highly sensitive information due to improper access controls. IBM X-Force ID: 209607."}, {"lang": "es", "value": "IBM Business Process Manager versiones 8.5 y 8.6, e IBM Business Automation Workflow versiones 18.0, 19.0, 20.0 y 21.0, podr\u00edan permitir a un usuario con privilegios conseguir informaci\u00f3n altamente confidencial debido a controles de acceso inapropiados. IBM X-Force ID: 209607"}], "id": "CVE-2021-38900", "lastModified": "2022-07-12T17:42:04.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-21T19:15:07.770", "references": [{"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209607"}, {"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/6527776"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/6528296"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}