{"api_version":"1","generated_at":"2026-04-23T11:26:48+00:00","cve":"CVE-2022-22394","urls":{"html":"https://cve.report/CVE-2022-22394","api":"https://cve.report/api/cve/CVE-2022-22394.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-22394","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-22394"},"summary":{"title":"CVE-2022-22394","description":"The IBM Spectrum Protect 8.1.14.000 server could allow a remote attacker to bypass security restrictions, caused by improper enforcement of access controls. By signing in, an attacker could exploit this vulnerability to bypass security and gain unauthorized administrator or node access to the vulnerable server.","state":"PUBLIC","assigner":"psirt@us.ibm.com","published_at":"2022-03-21 17:15:00","updated_at":"2023-08-08 14:21:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://www.ibm.com/support/pages/node/6564745","name":"https://www.ibm.com/support/pages/node/6564745","refsource":"CONFIRM","tags":[],"title":"Security Bulletin: IBM Spectrum Protect 8.1.14.000 Server is vulnerable to bypass of security restrictions (CVE-2022-22394)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/222147","name":"ibm-spectrum-cve202222394-priv-esc (222147)","refsource":"XF","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-22394","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22394","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"22394","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"ibm","cpe5":"aix","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22394","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"spectrum_protect","cpe6":"8.1.14.100","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22394","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"22394","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"DATE_PUBLIC":"2022-03-18T00:00:00","ASSIGNER":"psirt@us.ibm.com","STATE":"PUBLIC","ID":"CVE-2022-22394"},"data_format":"MITRE","affects":{"vendor":{"vendor_data":[{"vendor_name":"IBM","product":{"product_data":[{"version":{"version_data":[{"version_value":"8.1.14.000"}]},"product_name":"Spectrum Protect Server"}]}}]}},"data_type":"CVE","description":{"description_data":[{"lang":"eng","value":"The IBM Spectrum Protect 8.1.14.000 server could allow a remote attacker to bypass security restrictions, caused by improper enforcement of access controls. By signing in, an attacker could exploit this vulnerability to bypass security and gain unauthorized administrator or node access to the vulnerable server."}]},"impact":{"cvssv3":{"BM":{"C":"H","UI":"N","SCORE":"7.500","I":"H","AV":"N","PR":"L","AC":"H","A":"H","S":"U"},"TM":{"E":"U","RL":"O","RC":"C"}}},"data_version":"4.0","references":{"reference_data":[{"name":"https://www.ibm.com/support/pages/node/6564745","url":"https://www.ibm.com/support/pages/node/6564745","title":"IBM Security Bulletin 6564745 (Spectrum Protect Server)","refsource":"CONFIRM"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/222147","name":"ibm-spectrum-cve202222394-priv-esc (222147)","title":"X-Force Vulnerability Report","refsource":"XF"}]},"problemtype":{"problemtype_data":[{"description":[{"value":"Gain Privileges","lang":"eng"}]}]}},"nvd":{"publishedDate":"2022-03-21 17:15:00","lastModifiedDate":"2023-08-08 14:21:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9},"severity":"HIGH","exploitabilityScore":8,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:spectrum_protect:8.1.14.100:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"22394","Ordinal":"224735","Title":"CVE-2022-22394","CVE":"CVE-2022-22394","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"22394","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}