CVE-2022-22353 - OpenCVE

IBM Big SQL on IBM Cloud Pak for Data 7.1.0, 7.1.1, 7.2.0, and 7.2.3 could allow an authenticated user with appropriate permissions to obtain sensitive information by bypassing data masking rules using a CREATE TABLE SELECT statement. IBM X-Force ID: 220480.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ibm	Big Sql Cloud Pak For Data
Cloudera	Data Platform

Configuration 1 [-]

AND

cpe:2.3:a:ibm:big_sql:7.1.0:*:*:*:*:*:*:*

OR	cpe:2.3:a:cloudera:data_platform:7.1.3:::::::*
	cpe:2.3:a:cloudera:data_platform:7.1.4:::::::*
	cpe:2.3:a:cloudera:data_platform:7.1.5:::::::*
	cpe:2.3:a:cloudera:data_platform:7.1.7:::::::*

Configuration 2 [-]

AND

cpe:2.3:a:ibm:big_sql:7.1.1:*:*:*:*:*:*:*

OR	cpe:2.3:a:ibm:cloud_pak_for_data:3.5:-::::::
	cpe:2.3:a:ibm:cloud_pak_for_data:3.5:refresh_1::::::
	cpe:2.3:a:ibm:cloud_pak_for_data:3.5:refresh_9::::::

Configuration 3 [-]

AND

cpe:2.3:a:ibm:big_sql:*:*:*:*:*:*:*:*

OR	cpe:2.3:a:ibm:cloud_pak_for_data:4.0:-::::::
	cpe:2.3:a:ibm:cloud_pak_for_data:4.0:refresh_1::::::
	cpe:2.3:a:ibm:cloud_pak_for_data:4.0:refresh_3::::::

Configuration 4 [-]

AND

cpe:2.3:a:ibm:big_sql:7.2.3:*:*:*:*:*:*:*

cpe:2.3:a:ibm:cloud_pak_for_data:4.0:refresh_4:*:*:*:*:*:*

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/220480	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6563021	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2022-03-11T00:00:00

Updated: 2022-03-14T17:00:25

Reserved: 2022-01-03T00:00:00

Link: CVE-2022-22353

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-14T17:15:07.993

Modified: 2022-03-22T14:40:36.893

Link: CVE-2022-22353

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Big SQL on Cloud Pak for Data", "vendor": "IBM", "versions": [{"status": "affected", "version": "7.1.0"}, {"status": "affected", "version": "7.1.1"}, {"status": "affected", "version": "7.2.0"}, {"status": "affected", "version": "7.2.3"}]}], "datePublic": "2022-03-11T00:00:00", "descriptions": [{"lang": "en", "value": "IBM Big SQL on IBM Cloud Pak for Data 7.1.0, 7.1.1, 7.2.0, and 7.2.3 could allow an authenticated user with appropriate permissions to obtain sensitive information by bypassing data masking rules using a CREATE TABLE SELECT statement. IBM X-Force ID: 220480."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "NONE", "privilegesRequired": "LOW", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 4.6, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/A:N/C:H/AC:H/PR:L/S:U/I:N/UI:N/RC:C/E:U/RL:O", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Obtain Information", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-14T17:00:25", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/pages/node/6563021"}, {"name": "ibm-bigsql-cve202222353-info-disc (220480)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220480"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2022-03-11T00:00:00", "ID": "CVE-2022-22353", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Big SQL on Cloud Pak for Data", "version": {"version_data": [{"version_value": "7.1.0"}, {"version_value": "7.1.1"}, {"version_value": "7.2.0"}, {"version_value": "7.2.3"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM Big SQL on IBM Cloud Pak for Data 7.1.0, 7.1.1, 7.2.0, and 7.2.3 could allow an authenticated user with appropriate permissions to obtain sensitive information by bypassing data masking rules using a CREATE TABLE SELECT statement. IBM X-Force ID: 220480."}]}, "impact": {"cvssv3": {"BM": {"A": "N", "AC": "H", "AV": "N", "C": "H", "I": "N", "PR": "L", "S": "U", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Obtain Information"}]}]}, "references": {"reference_data": [{"name": "https://www.ibm.com/support/pages/node/6563021", "refsource": "CONFIRM", "title": "IBM Security Bulletin 6563021 (Big SQL on Cloud Pak for Data)", "url": "https://www.ibm.com/support/pages/node/6563021"}, {"name": "ibm-bigsql-cve202222353-info-disc (220480)", "refsource": "XF", "title": "X-Force Vulnerability Report", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220480"}]}}}}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-22353", "datePublished": "2022-03-11T00:00:00", "dateReserved": "2022-01-03T00:00:00", "dateUpdated": "2022-03-14T17:00:25", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:big_sql:7.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6280ECB3-44A0-4ABE-9649-ADCA36987041", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:cloudera:data_platform:7.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "34D66F54-B5E4-4592-8D81-6F5FA5050AD2", "vulnerable": false}, {"criteria": "cpe:2.3:a:cloudera:data_platform:7.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "40696221-58E6-4007-A569-BC5CB092BCF9", "vulnerable": false}, {"criteria": "cpe:2.3:a:cloudera:data_platform:7.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "6CA8E30F-9528-4807-B724-33541DD483AF", "vulnerable": false}, {"criteria": "cpe:2.3:a:cloudera:data_platform:7.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "2A4E786D-B883-4901-9AEE-D9CC00D066F2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:big_sql:7.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "3499AC1D-FEB6-4E8D-8763-D6C41AE66E50", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:cloud_pak_for_data:3.5:-:*:*:*:*:*:*", "matchCriteriaId": "74BA5C30-0041-4DE6-A673-EACFCCE3E759", "vulnerable": false}, {"criteria": "cpe:2.3:a:ibm:cloud_pak_for_data:3.5:refresh_1:*:*:*:*:*:*", "matchCriteriaId": "441ADAEA-7036-48A2-8272-6F3493075499", "vulnerable": false}, {"criteria": "cpe:2.3:a:ibm:cloud_pak_for_data:3.5:refresh_9:*:*:*:*:*:*", "matchCriteriaId": "0D9430C3-6D1E-46C2-A9F2-B416B266F10A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:big_sql:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5710866-C865-4A15-88CA-E5CAA2CD1967", "versionEndIncluding": "7.2.3", "versionStartIncluding": "7.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:cloud_pak_for_data:4.0:-:*:*:*:*:*:*", "matchCriteriaId": "89FB80EE-E435-4D86-82B1-4A5AC1D85245", "vulnerable": false}, {"criteria": "cpe:2.3:a:ibm:cloud_pak_for_data:4.0:refresh_1:*:*:*:*:*:*", "matchCriteriaId": "5428EB87-06D7-46E2-B8F5-CE01EF0C5C8A", "vulnerable": false}, {"criteria": "cpe:2.3:a:ibm:cloud_pak_for_data:4.0:refresh_3:*:*:*:*:*:*", "matchCriteriaId": "E552B244-DF27-46A5-AB04-C1AF91877F0A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:big_sql:7.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "D02A88E8-BA33-498A-9517-62EF82BE0C02", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:cloud_pak_for_data:4.0:refresh_4:*:*:*:*:*:*", "matchCriteriaId": "F53C3054-B4D0-4626-81D1-B0406DFD8466", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "IBM Big SQL on IBM Cloud Pak for Data 7.1.0, 7.1.1, 7.2.0, and 7.2.3 could allow an authenticated user with appropriate permissions to obtain sensitive information by bypassing data masking rules using a CREATE TABLE SELECT statement. IBM X-Force ID: 220480."}, {"lang": "es", "value": "IBM Big SQL en IBM Cloud Pak for Data versiones 7.1.0, 7.1.1, 7.2.0 y 7.2.3, podr\u00eda permitir a un usuario autenticado con los permisos adecuados obtener informaci\u00f3n confidencial al omitir las reglas de enmascaramiento de datos mediante una sentencia CREATE TABLE SELECT. IBM X-Force ID: 220480"}], "id": "CVE-2022-22353", "lastModified": "2022-03-22T14:40:36.893", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-14T17:15:07.993", "references": [{"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220480"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/6563021"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}