A vulnerability, which was classified as problematic, was found in IBM Security Guardium Data Encryption 3.0.0.2 (Policy Management Software). Affected is some unknown processing. The manipulation with an unknown input leads to a missing encryption vulnerability (Credentials). CWE is classifying the issue as CWE-311. The product does not encrypt sensitive or critical information before storage or transmission. This is going to have an impact on confidentiality. CVE summarizes:

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 171938.

The weakness was published 08/26/2020 (Website). The advisory is shared for download at ibm.com. This vulnerability is traded as CVE-2019-4697 since 01/03/2019. The exploitability is told to be difficult. It is possible to launch the attack remotely. Required for exploitation is a authentication. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 08/27/2020). It is expected to see the exploit prices for this product increasing in the near future.The MITRE ATT&CK project declares the attack technique as T1600.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Similar entries are available at 160312, 160313, 160314 and 160315.

Productinfo

Type

• Policy Management Software

Vendor

• IBM

Name

• Security Guardium Data Encryption

Version

• 3.0.0.2

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion