CVE-2020-4670

IBM Planning Analytics Local 2.0 connects to a Redis server. The Redis server, an in-memory data structure store, running on the remote host is not protected by password authentication. A remote attacker can exploit this to gain unauthorized access to the server. IBM X-Force ID: 186401.

CVSS v3 9.1 CRITICAL
CVSS v2.0 6.4 MEDIUM

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

6.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/186401	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6436821	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:planning_analytics_cloud:2.0.0:::::::*
	cpe:2.3:a:ibm:planning_analytics_local:2.0.0:::::::*

History

No history.

Information

Published : 2021-05-17 17:15

Updated : 2022-06-28 14:11

NVD link : CVE-2020-4670

Mitre link : CVE-2020-4670

CVE.ORG link : CVE-2020-4670

JSON object : View

Products Affected

ibm

planning_analytics_local
planning_analytics_cloud

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2020-4670", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2021-05-17T17:15:07.983", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/186401", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/6436821", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "IBM Planning Analytics Local 2.0 connects to a Redis server. The Redis server, an in-memory data structure store, running on the remote host is not protected by password authentication. A remote attacker can exploit this to gain unauthorized access to the server. IBM X-Force ID: 186401."}, {"lang": "es", "value": "IBM Planning Analytics Local versi\u00f3n 2.0, se conecta a un servidor Redis. El servidor Redis, un almac\u00e9n de estructura de datos en memoria, que se ejecuta en el host remoto no est\u00e1 protegido por autenticaci\u00f3n de contrase\u00f1a. Un atacante remoto puede explotar esto para conseguir acceso no autorizado al servidor. IBM X-Force ID: 186401"}], "lastModified": "2022-06-28T14:11:45.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:planning_analytics_cloud:2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EDD357EA-492B-4F5B-A7CE-BA166163CC67"}, {"criteria": "cpe:2.3:a:ibm:planning_analytics_local:2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E647C68C-3438-4635-BEBA-D6F5076DA50F"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}