Cyber Resilience

CVE-2022-22394

High

Published: 21 March 2022

Published
21 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0533 90.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22394 is a high-severity an unspecified weakness vulnerability in Ibm Spectrum Protect. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-22394 affects the IBM Spectrum Protect 8.1.14.000 server and stems from improper enforcement of access controls. The flaw permits a remote attacker to bypass security restrictions after signing in, resulting in unauthorized access that can escalate to administrator or node privileges on the server.

An authenticated attacker with low privileges can exploit the weakness over the network without user interaction. Successful exploitation grants the ability to circumvent intended security boundaries and obtain elevated administrative or node-level access to the Spectrum Protect server, which carries a CVSS 3.1 base score of 8.8.

Public advisories from IBM and the associated X-Force exchange entry describe the issue and point to vendor guidance for affected deployments. The EPSS score has remained flat at 0.0533 with no material increase after disclosure.

EU & UK References

Vulnerability details

The IBM Spectrum Protect 8.1.14.000 server could allow a remote attacker to bypass security restrictions, caused by improper enforcement of access controls. By signing in, an attacker could exploit this vulnerability to bypass security and gain unauthorized administrator or node…

more

access to the vulnerable server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ibm
spectrum protect
8.1.14.100

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References