{"id":2138,"date":"2025-04-29T06:35:04","date_gmt":"2025-04-29T06:35:04","guid":{"rendered":"http:\/\/localhost\/?p=2138"},"modified":"2025-04-29T06:35:04","modified_gmt":"2025-04-29T06:35:04","slug":"security-bulletin-ibm-spectrum-protect-plus-vulnerability-discloses-sensitive-information-due-to-une","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=2138","title":{"rendered":"Security Bulletin: IBM Spectrum Protect Plus vulnerability discloses sensitive information due to unencrypted data in transit (CVE-2020-4497)"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nSecurity Bulletin: IBM Spectrum Protect Plus vulnerability discloses sensitive information due to unencrypted data in transit (CVE-2020-4497)<\/td>\n<\/tr>\n
Type<\/th>\nibm<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-29T02:27:14<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-29T11:06:03<\/td>\n<\/tr>\n
CVSS Score<\/th>\n6.8 (MEDIUM)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nHIGH<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nNONE<\/td>\n<\/tr>\n
Availability Impact<\/th>\nNONE<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2020-4497<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nsoftware<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n ## Summary<\/p>\n

IBM Spectrum Protect Plus does not encrypt data transfer between vSnap servers and application agents. This could allow an attacker to view senstive information in transit.<\/p>\n

## Vulnerability Details<\/p>\n

**CVEID:**CVE-2020-4497
\n**DESCRIPTION:** IBM Spectrum Protect Plus discloses sensitive information due to unencryhpted data being used in the communication flow between Spectrum Protect Plus vSnap and its agents. An attacker could obtain information using main in the middle techniques.
\nCVSS Base score: 6.8
\nCVSS Temporal Score: See: https:\/\/exchange.xforce.ibmcloud.com\/vulnerabilities\/182106 for the current score.
\nCVSS Vector: (CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:N\/S:C\/C:H\/I:N\/A:N)<\/p>\n

## Affected Products and Versions<\/p>\n

**Affected Product(s)** | **Version(s)**
\n—|—
\nIBM Spectrum Protect Plus | 10.1.0-10.1.12 <\/p>\n

## Remediation\/Fixes<\/p>\n

IBM Spectrum Protect Plus 10.1.13 introduces Transport Encryption feature. With transport encryption, you can protect the data transport between application host and vSnap during backup and restore. Transport encryption feature ensures security to each data path of data between the application host and the vSnap by encrypting and decrypting the data. For more information about Transport Encryption, see https:\/\/www.ibm.com\/docs\/en\/SSNQFQ_10.1.13\/spp\/r_spp_vSnap_transportencryption.html **IBM Spectrum Protect
\nPlus ****Affected Versions** | **Fixing**
\n**Level** | **Platform** | **Link to Fix and Instructions**
\n—|—|—|—
\n10.1.0-10.1.12 | 10.1.13 | Linux | **https:\/\/www.ibm.com\/support\/pages\/node\/6827871** <\/p>\n

## Workarounds and Mitigations<\/p>\n

None<\/p>\n

##\n <\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n6.8<\/td>\n<\/tr>\n
Severity<\/th>\nMEDIUM<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n