#VU64010 Information disclosure in IBM DS8000 Hardware Management Console - CVE-2021-38929

Cybersecurity Help s.r.o.

Published: 2022-06-07

Vulnerability identifier: #VU64010

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-38929

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM DS8000 Hardware Management Console
Server applications / Remote management servers, RDP, SSH

Vendor: IBM Corporation

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system through unpublished URLs.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM DS8000 Hardware Management Console: before 88.50.184.0

External links
https://www.ibm.com/support/pages/node/6570741
https://exchange.xforce.ibmcloud.com/vulnerabilities/210330

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM DS8000 Hardware Management Console