CVE-2023-43040
Published: 14 May 2024
Summary
CVE-2023-43040 is a medium-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability in Ibm Storage Fusion Hci. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
IBM Spectrum Fusion HCI versions 2.5.2 through 2.7.2 contain a vulnerability that permits unauthorized actions against the RGW component of Ceph because of improper bucket access controls. The flaw is tracked under CWE-1220 and carries a CVSS 3.1 score of 6.5 reflecting network attack vector, high attack complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can leverage the issue to alter data (high integrity impact) and to a lesser extent disrupt availability within the affected Ceph RGW environment. Exploitation requires no credentials and can be performed over the network, although the high complexity rating indicates non-trivial conditions must be met.
The associated EPSS score reached a peak of 0.1017 before receding to the current value of 0.0759, indicating limited sustained exploitation interest after disclosure. IBM has published remediation guidance at the referenced support page for affected Spectrum Fusion HCI deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-47461
Vulnerability details
IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use of granular security and privacy attributes enables finer access control than coarse permission models alone.
Documenting interface characteristics enables more granular control over internal access.
Requires the architecture to describe granularity and placement of controls, preventing insufficiently fine-grained access decisions.
Provides the necessary granularity by placing system management functions outside the reach of user-level access controls.
Isolation supplies an explicit, enforceable granularity boundary between security and non-security functions that coarser access-control schemes lack.