CVE-2021-22506
Published: 26 March 2021
Summary
CVE-2021-22506 is a high-severity an unspecified weakness vulnerability in Microfocus Access Manager. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
The vulnerability is an information leakage issue in the Micro Focus Access Manager product, affecting all versions prior to 5.0 when advanced configuration options are enabled. It is tracked as CVE-2021-22506 with a CVSS 3.1 score of 7.5 reflecting network-accessible attack vectors that require no authentication or user interaction.
An unauthenticated remote attacker can exploit the flaw over the network to obtain sensitive information that would otherwise remain protected, resulting in high confidentiality impact without affecting integrity or availability.
Micro Focus release notes for version 5.0 address the issue through product updates, while CISA includes the CVE in its catalog of known exploited vulnerabilities, confirming active real-world exploitation and the need for prioritized remediation by affected organizations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-9652
Vulnerability details
Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0. The vulnerability could cause information leakage.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control decisions to block unauthenticated network requests that would otherwise leak sensitive information from the Access Manager product.
Enforces information flow policies to stop unauthorized disclosure of data exposed by the advanced-configuration flaw.
Boundary protection mechanisms can restrict network-accessible interfaces that the unauthenticated attacker uses to obtain the leaked information.