CVE-2021-20564 : IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6.0.0, and 1.6.0.

IBM Cloud Pak for Security (CP4S) 1.4.0.0, 1.5.0.0, 1.5.0.1, 1.6.0.0, and 1.6.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 199235.

Published 2021-05-14 17:15:08

Updated 2022-06-28 14:11:45

Source IBM Corporation

View at NVD, CVE.org

Products affected by CVE-2021-20564

IBM » Cloud Pak For Security » Version: 1.4.0.0
cpe:2.3:a:ibm:cloud_pak_for_security:1.4.0.0:*:*:*:*:*:*:*
Matching versions
IBM » Cloud Pak For Security » Version: 1.5.0.0
cpe:2.3:a:ibm:cloud_pak_for_security:1.5.0.0:*:*:*:*:*:*:*
Matching versions
IBM » Cloud Pak For Security » Version: 1.5.0.1
cpe:2.3:a:ibm:cloud_pak_for_security:1.5.0.1:*:*:*:*:*:*:*
Matching versions
IBM » Cloud Pak For Security » Version: 1.6.0.0
cpe:2.3:a:ibm:cloud_pak_for_security:1.6.0.0:*:*:*:*:*:*:*
Matching versions
IBM » Cloud Pak For Security » Version: 1.6.0.1
cpe:2.3:a:ibm:cloud_pak_for_security:1.6.0.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-20564

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 19 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-20564

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	IBM Corporation
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-20564

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-20564

https://exchange.xforce.ibmcloud.com/vulnerabilities/199235

IBM Cloud Pak for Security information disclosure CVE-2021-20564 Vulnerability Report
VDB Entry;Vendor Advisory
https://www.ibm.com/support/pages/node/6453115

Security Bulletin: Cloud Pak for Security contains security vulnerabilities
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-20564

Products affected by CVE-2021-20564

Exploit prediction scoring system (EPSS) score for CVE-2021-20564

CVSS scores for CVE-2021-20564

CWE ids for CVE-2021-20564

References for CVE-2021-20564