CVE-2022-22353 : IBM Big SQL on IBM Cloud Pak for Data 7.1.0, 7.1.1, 7.2.0, and 7.2.3 could allow

IBM Big SQL on IBM Cloud Pak for Data 7.1.0, 7.1.1, 7.2.0, and 7.2.3 could allow an authenticated user with appropriate permissions to obtain sensitive information by bypassing data masking rules using a CREATE TABLE SELECT statement. IBM X-Force ID: 220480.

Published 2022-03-14 17:15:08

Updated 2022-03-22 14:40:37

Source IBM Corporation

View at NVD, CVE.org

Products affected by CVE-2022-22353

IBM » Big Sql
Versions from including (>=) 7.2.0 and up to, including, (<=) 7.2.3
cpe:2.3:a:ibm:big_sql:*:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Cloud Pak For Data » Version: 4.0
When used together with: IBM » Cloud Pak For Data » Version: 4.0 Update Refresh 1
When used together with: IBM » Cloud Pak For Data » Version: 4.0 Update Refresh 3
IBM » Big Sql » Version: 7.1.0
cpe:2.3:a:ibm:big_sql:7.1.0:*:*:*:*:*:*:*
Matching versions
When used together with: Cloudera » Data Platform » Version: 7.1.3
When used together with: Cloudera » Data Platform » Version: 7.1.4
When used together with: Cloudera » Data Platform » Version: 7.1.5
When used together with: Cloudera » Data Platform » Version: 7.1.7
IBM » Big Sql » Version: 7.1.1
cpe:2.3:a:ibm:big_sql:7.1.1:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Cloud Pak For Data » Version: 3.5
When used together with: IBM » Cloud Pak For Data » Version: 3.5 Update Refresh 1
When used together with: IBM » Cloud Pak For Data » Version: 3.5 Update Refresh 9
IBM » Big Sql » Version: 7.2.3
cpe:2.3:a:ibm:big_sql:7.2.3:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Cloud Pak For Data » Version: 4.0 Update Refresh 4

Exploit prediction scoring system (EPSS) score for CVE-2022-22353

EPSS FAQ

0.14%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 31 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-22353

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.3	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N	1.6	3.6	IBM Corporation
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

References for CVE-2022-22353

https://www.ibm.com/support/pages/node/6563021

Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Big SQL
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/220480

IBM Big SQL information disclosure CVE-2022-22353 Vulnerability Report
VDB Entry;Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-22353

Products affected by CVE-2022-22353

Exploit prediction scoring system (EPSS) score for CVE-2022-22353

CVSS scores for CVE-2022-22353

References for CVE-2022-22353