{"api_version":"1","generated_at":"2026-05-03T14:43:10+00:00","cve":"CVE-2022-22349","urls":{"html":"https://cve.report/CVE-2022-22349","api":"https://cve.report/api/cve/CVE-2022-22349.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-22349","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-22349"},"summary":{"title":"CVE-2022-22349","description":"IBM Sterling External Authentication Server 3.4.3.2, 6.0.2.0, and 6.0.3.0 is vulnerable to path traversals, due to not properly validating RESTAPI configuration data. An authorized user could import invalid data which could be used for an attack. IBM X-Force ID: 220144.","state":"PUBLIC","assigner":"psirt@us.ibm.com","published_at":"2022-02-24 17:15:00","updated_at":"2022-03-02 21:14:00"},"problem_types":["CWE-22"],"metrics":[],"references":[{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/220144","name":"ibm-spectrum-cve202222349-path-traversal (220144)","refsource":"XF","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.ibm.com/support/pages/node/6558928","name":"https://www.ibm.com/support/pages/node/6558928","refsource":"CONFIRM","tags":[],"title":"Security Bulletin: Multiple vulnerabilities were detected in IBM Sterling External Authentication Server (CVE-2022-22333, CVE-2022-22349)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-22349","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22349","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"22349","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"sterling_external_authentication_server","cpe6":"3.4.3.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22349","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"sterling_external_authentication_server","cpe6":"6.0.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22349","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"sterling_external_authentication_server","cpe6":"6.0.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"DATE_PUBLIC":"2022-02-23T00:00:00","ASSIGNER":"psirt@us.ibm.com","ID":"CVE-2022-22349","STATE":"PUBLIC"},"references":{"reference_data":[{"name":"https://www.ibm.com/support/pages/node/6558928","title":"IBM Security Bulletin 6558928 (Sterling External Authentication Server)","refsource":"CONFIRM","url":"https://www.ibm.com/support/pages/node/6558928"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/220144","name":"ibm-spectrum-cve202222349-path-traversal (220144)","title":"X-Force Vulnerability Report","refsource":"XF"}]},"description":{"description_data":[{"value":"IBM Sterling External Authentication Server 3.4.3.2, 6.0.2.0, and 6.0.3.0 is vulnerable to path traversals, due to not properly validating RESTAPI configuration data. An authorized user could import invalid data which could be used for an attack. IBM X-Force ID: 220144.","lang":"eng"}]},"data_version":"4.0","data_format":"MITRE","data_type":"CVE","problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Gain Access"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"IBM","product":{"product_data":[{"product_name":"Sterling External Authentication Server","version":{"version_data":[{"version_value":"6.0.3.0"},{"version_value":"6.0.2.0"},{"version_value":"3.4.3.2"}]}}]}}]}},"impact":{"cvssv3":{"TM":{"E":"U","RC":"C","RL":"O"},"BM":{"I":"L","PR":"L","AC":"L","A":"N","AV":"N","C":"N","S":"U","UI":"N","SCORE":"4.300"}}}},"nvd":{"publishedDate":"2022-02-24 17:15:00","lastModifiedDate":"2022-03-02 21:14:00","problem_types":["CWE-22"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:sterling_external_authentication_server:6.0.2.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:sterling_external_authentication_server:3.4.3.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:sterling_external_authentication_server:6.0.3.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"22349","Ordinal":"224690","Title":"CVE-2022-22349","CVE":"CVE-2022-22349","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"22349","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}