Skip to main content

Security Guardium Key Lifecycle Manager CVE-2023-47706

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2023-12-20 psirt@us.ibm.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 20, 2023 - 01:15 nvd
HIGH 8.8

DescriptionNVD

IBM Security Guardium Key Lifecycle Manager 4.3 could allow an authenticated user to upload files of a dangerous file type. IBM X-Force ID: 271341.

AnalysisAI

IBM Security Guardium Key Lifecycle Manager 4.3 could allow an authenticated user to upload files of a dangerous file type. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. IBM Security Guardium Key Lifecycle Manager 4.3 could allow an authenticated user to upload files of a dangerous file type. IBM X-Force ID: 271341. Affected products include: Ibm Security Guardium Key Lifecycle Manager.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.

CVE-2023-47702 CRITICAL
9.1 Dec 20

IBM Security Guardium Key Lifecycle Manager 4.3 could allow a remote attacker to traverse directories on the system. Rat

CVE-2024-49819 HIGH
7.5 Dec 17

IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensiti

CVE-2023-47704 HIGH
7.5 Dec 20

IBM Security Guardium Key Lifecycle Manager 4.3 contains plain text hard-coded credentials or other secrets in source co

CVE-2021-38984 HIGH
7.5 Nov 15

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms that could

CVE-2021-38983 HIGH
7.5 Nov 15

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses weaker than expected cryptographic algorithms that could

CVE-2021-38979 HIGH
7.5 Nov 15

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 uses a one-way cryptographic hash against an input that should

CVE-2021-38975 MEDIUM
6.5 Nov 15

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow an authenticated user to to obtain sensitive infor

CVE-2021-38974 MEDIUM
6.5 Nov 15

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow an authenticated user to cause a denial of service

CVE-2021-38978 MEDIUM
5.9 Nov 15

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 could allow a remote attacker to obtain sensitive information,

CVE-2021-38976 MEDIUM
5.5 Nov 15

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 stores user credentials in plain clear text which can be read

CVE-2023-47707 MEDIUM
5.4 Dec 20

IBM Security Guardium Key Lifecycle Manager 4.3 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4),

CVE-2021-38982 MEDIUM
5.4 Nov 15

IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 is vulnerable to cross-site scripting. Rated medium severity (

Share

CVE-2023-47706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy