A vulnerability classified as critical was found in IBM Data Risk Manager 2.0.6. This vulnerability affects an unknown code block. The manipulation with an unknown input leads to a weak authentication vulnerability (Default Credentials).
IBM Data Risk Manager is an integration platform for IBM Guardium®, Symantec DLP and IBM Information Governance Catalog that offers a programmatic process for ongoing discovery, classification and reporting of sensitive data and associated risks across the enterprise.
It uses real-time information to efficiently discover sensitive information assets and yet-unidentified data stores. Helping you understand sensitive data access, activity and data flows, this offer is designed to determine threats, exposures and vulnerabilities.
This discovery process provides an end-to-end view of all business metadata — applications, processes, policies and procedures, controls and ownership, and more — associated with sensitive information assets.
The CWE definition for the vulnerability is CWE-798 . As an impact it is known to affect confidentiality.
The weakness was published 09/22/2020. The advisory is shared for download at ibm.com . This vulnerability was named CVE-2020-4622 since 12/30/2019. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
Another vulnerability in this application is:
IBM Data Risk Manager privilege escalation CVE-2020-4621
IBM Data Risk Manager Extension Code privilege escalation CVE-2020-4620
IBM Data Risk Manager Credential Storage Plaintext weak encryption CVE-2020-4619
IBM Data Risk Manager denial of service CVE-2020-4618
IBM Data Risk Manager cross site request forgery CVE-2020-4617
IBM Data Risk Manager information disclosure CVE-2020-4616
IBM Data Risk Manager Web UI cross site scripting CVE-2020-4615
IBM Data Risk Manager weak encryption CVE-2020-4614
IBM Data Risk Manager weak encryption CVE-2020-4613
IBM Data Risk Manager information disclosure CVE-2020-4612
IBM Data Risk Manager privilege escalation CVE-2020-4611