CVE-2021-39065

IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the Spectrum Copy Data Management Admin Console login and uploadcertificate function . A remote attacker could inject arbitrary shell commands which would be executed on the affected system. IBM X-Force ID: 214958.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/214958	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6525554	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:ibm:spectrum_copy_data_management:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

History

12 Jul 2022, 17:42

Type	Values Removed	Values Added
CWE	~~CWE-20~~	CWE-78

15 Dec 2021, 17:48

Type	Values Removed	Values Added
References	~~(CONFIRM) https://www.ibm.com/support/pages/node/6525554 -~~	(CONFIRM) https://www.ibm.com/support/pages/node/6525554 - Patch, Vendor Advisory
References	~~(XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/214958 -~~	(XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/214958 - VDB Entry, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 10.0 v3 : 9.8
CWE		CWE-20
CPE		cpe:2.3:a:ibm:spectrum_copy_data_management:::::::: cpe:2.3:o:linux:linux_kernel:-:::::::*

13 Dec 2021, 18:21

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-12-13 18:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-39065

Mitre link : CVE-2021-39065

CVE.ORG link : CVE-2021-39065

JSON object : View

Products Affected

linux

linux_kernel

ibm

spectrum_copy_data_management

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2021-39065", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-12-13T18:15:08.333", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/214958", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/6525554", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the Spectrum Copy Data Management Admin Console login and uploadcertificate function . A remote attacker could inject arbitrary shell commands which would be executed on the affected system. IBM X-Force ID: 214958."}, {"lang": "es", "value": "IBM Spectrum Copy Data Management 2.2.13 y anteriores, pod\u00edan permitir a un atacante remoto ejecutar comandos arbitrarios en el sistema, debido a la comprobaci\u00f3n inapropiada de la entrada proporcionada por el usuario en la funci\u00f3n login and uploadcertificate de la consola de administraci\u00f3n de Spectrum Copy Data Management. Un atacante remoto podr\u00eda inyectar comandos shell arbitrarios que ser\u00e1n ejecutados en el sistema afectado. IBM X-Force ID: 214958"}], "lastModified": "2022-07-12T17:42:04.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:spectrum_copy_data_management:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "291987C4-0B53-43A5-AD73-AB08926778F8", "versionEndIncluding": "2.2.13"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@us.ibm.com"}