CVE-2022-22318 - OpenCVE

IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Oracle	Solaris
Microsoft	Windows
Ibm	Aix Curam Social Program Management Z\/os
Linux	Linux Kernel
Hp	Hp-ux

Configuration 1 [-]

AND

OR	cpe:2.3:a:ibm:curam_social_program_management:8.0.0:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:8.0.1:::::::*

OR	cpe:2.3:o:hp:hp-ux:-:::::::*
	cpe:2.3:o:ibm:aix:-:::::::*
	cpe:2.3:o:ibm:z\/os:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*
	cpe:2.3:o:oracle:solaris:-::::::-:

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/218283	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6596049	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2022-06-17T00:00:00

Updated: 2022-06-20T16:25:16

Reserved: 2022-01-03T00:00:00

Link: CVE-2022-22318

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-06-20T17:15:08.613

Modified: 2022-06-28T12:22:25.073

Link: CVE-2022-22318

JSON object: View

Redhat Information

No data.

CWE

CWE-613

{"containers": {"cna": {"affected": [{"product": "Curam Social Program Management", "vendor": "IBM", "versions": [{"status": "affected", "version": "8.0.0"}, {"status": "affected", "version": "8.0.1"}]}], "datePublic": "2022-06-17T00:00:00", "descriptions": [{"lang": "en", "value": "IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "LOW", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 5.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/PR:N/AV:L/A:L/I:L/S:U/AC:L/UI:N/C:L/E:U/RL:O/RC:C", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Gain Privileges", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-06-20T16:25:16", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/pages/node/6596049"}, {"name": "ibm-curam-cve202222318-session-fixation (218283)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218283"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2022-06-17T00:00:00", "ID": "CVE-2022-22318", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Curam Social Program Management", "version": {"version_data": [{"version_value": "8.0.0"}, {"version_value": "8.0.1"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system."}]}, "impact": {"cvssv3": {"BM": {"A": "L", "AC": "L", "AV": "L", "C": "L", "I": "L", "PR": "N", "S": "U", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Gain Privileges"}]}]}, "references": {"reference_data": [{"name": "https://www.ibm.com/support/pages/node/6596049", "refsource": "CONFIRM", "title": "IBM Security Bulletin 6596049 (Curam Social Program Management)", "url": "https://www.ibm.com/support/pages/node/6596049"}, {"name": "ibm-curam-cve202222318-session-fixation (218283)", "refsource": "XF", "title": "X-Force Vulnerability Report", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218283"}]}}}}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-22318", "datePublished": "2022-06-17T00:00:00", "dateReserved": "2022-01-03T00:00:00", "dateUpdated": "2022-06-20T16:25:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:curam_social_program_management:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "134AEBD8-7BF5-4C5E-8231-D01A68D3BA6F", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:8.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "7613A179-35F1-4943-8D0C-0BD34AA2592E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:hp:hp-ux:-:*:*:*:*:*:*:*", "matchCriteriaId": "F480AA32-841A-4E68-9343-B2E7548B0A0C", "vulnerable": false}, {"criteria": "cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*", "matchCriteriaId": "E492C463-D76E-49B7-A4D4-3B499E422D89", "vulnerable": false}, {"criteria": "cpe:2.3:o:ibm:z\\/os:-:*:*:*:*:*:*:*", "matchCriteriaId": "0E97A964-6F9E-4C87-9B90-21AE2C1DF52F", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}, {"criteria": "cpe:2.3:o:oracle:solaris:-:*:*:*:*:*:-:*", "matchCriteriaId": "F5027746-8216-452D-83C5-2F8E9546F2A5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system."}, {"lang": "es", "value": "IBM Curam Social Program Management versiones 8.0.0 y 8.0.1, no invalida la sesi\u00f3n tras el cierre de sesi\u00f3n, lo que podr\u00eda permitir a un usuario autenticado hacerse pasar por otro usuario en el sistema"}], "id": "CVE-2022-22318", "lastModified": "2022-06-28T12:22:25.073", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.5, "impactScore": 3.4, "source": "psirt@us.ibm.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-20T17:15:08.613", "references": [{"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/218283"}, {"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/6596049"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "nvd@nist.gov", "type": "Primary"}]}