CVE-2022-35280 - OpenCVE

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 230634.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Ibm	Robotic Process Automation For Cloud Pak
Microsoft	Windows

Configuration 1 [-]

AND

OR	cpe:2.3:a:ibm:robotic_process_automation_for_cloud_pak:21.0.0:::::::*
	cpe:2.3:a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:::::::*
	cpe:2.3:a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:::::::*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/230634	Broken Link
https://www.ibm.com/support/pages/node/6610393	Broken Link

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2022-08-04T00:00:00

Updated: 2022-08-10T16:50:30

Reserved: 2022-07-06T00:00:00

Link: CVE-2022-35280

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-10T17:15:09.280

Modified: 2022-08-13T00:16:38.530

Link: CVE-2022-35280

JSON object: View

Redhat Information

No data.

CWE

CWE-521

{"containers": {"cna": {"affected": [{"product": "Robotic Process Automation", "vendor": "IBM", "versions": [{"status": "affected", "version": "21.0.0"}, {"status": "affected", "version": "21.0.1"}, {"status": "affected", "version": "21.0.2"}]}], "datePublic": "2022-08-04T00:00:00", "descriptions": [{"lang": "en", "value": "IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 230634."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "NONE", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 4, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AC:L/C:H/UI:N/AV:P/A:N/PR:N/S:U/I:N/E:U/RL:O/RC:C", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Obtain Information", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-10T16:50:30", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/pages/node/6610393"}, {"name": "ibm-rpa-cve202235280-info-disc (230634)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230634"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2022-08-04T00:00:00", "ID": "CVE-2022-35280", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Robotic Process Automation", "version": {"version_data": [{"version_value": "21.0.0"}, {"version_value": "21.0.1"}, {"version_value": "21.0.2"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 230634."}]}, "impact": {"cvssv3": {"BM": {"A": "N", "AC": "L", "AV": "P", "C": "H", "I": "N", "PR": "N", "S": "U", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Obtain Information"}]}]}, "references": {"reference_data": [{"name": "https://www.ibm.com/support/pages/node/6610393", "refsource": "CONFIRM", "title": "IBM Security Bulletin 6610393 (Robotic Process Automation)", "url": "https://www.ibm.com/support/pages/node/6610393"}, {"name": "ibm-rpa-cve202235280-info-disc (230634)", "refsource": "XF", "title": "X-Force Vulnerability Report", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230634"}]}}}}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-35280", "datePublished": "2022-08-04T00:00:00", "dateReserved": "2022-07-06T00:00:00", "dateUpdated": "2022-08-10T16:50:30", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:robotic_process_automation_for_cloud_pak:21.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "C0C0A1A1-12D0-43A0-8F1C-534BCCD77A59", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "4DFB04F3-FC7A-472B-BAC5-8EAA378C8390", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "69999572-5E34-4C34-A40C-899E898578CF", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 230634."}, {"lang": "es", "value": "IBM Robotic Process Automation versiones 21.0.0, 21.0.1 y 21.0.2, no exige que usuarios tengan contrase\u00f1as seguras por defecto, lo que facilita que atacantes puedan comprometer las cuentas de usuarios. IBM X-Force ID: 230634"}], "id": "CVE-2022-35280", "lastModified": "2022-08-13T00:16:38.530", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-10T17:15:09.280", "references": [{"source": "psirt@us.ibm.com", "tags": ["Broken Link"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230634"}, {"source": "psirt@us.ibm.com", "tags": ["Broken Link"], "url": "https://www.ibm.com/support/pages/node/6610393"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "nvd@nist.gov", "type": "Primary"}]}