Insecure TLS Certificate Management in IBM Spectrum Protect Plus
CVE-2022-40234

5.9MEDIUM

Key Information:

Vendor: IBM
Status: Spectrum Protect Plus
Vendor: CVE Published:; 17 September 2022

Summary

Versions of IBM Spectrum Protect Plus before 10.1.12 inadvertently include private key details within generated .crt files during TLS certificate uploads. If such a .crt file is distributed, it allows unauthorized access to the associated private key, creating a significant security risk. This vulnerability can facilitate attacks that compromise secure communications.

Affected Version(s)

Spectrum Protect Plus 10.1.0

Spectrum Protect Plus 10.1.11

References

https://www.ibm.com/support/pages/node/6619947

x_refsource_CONFIRM

https://exchange.xforce.ibmcloud.com/vulnerabilities/235718

vdb-entryx_refsource_XF

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 17, 2022
Vulnerability Reserved
Sep 8, 2022