CVE-2021-39023

Vulnerability

IBM Guardium Data Encryption (GDE) versions 4.0.0 and 5.0.0, including components Guardium Cloud Key Manager (GCKM) 1.10.1, CipherTrust Tokenization Server (CT-VL) 2.6.4.21, and CipherTrust Manager (CM) 2.6, are affected. The vulnerability exists because the application returns detailed technical error messages in the browser, which can inadvertently leak sensitive information about the system to a remote attacker [1]. No special configuration is required for the code path to be reachable beyond normal application usage.

Exploitation

An attacker with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) without user interaction (UI:N). By eliciting or observing error responses from the application, the attacker can obtain technical details from the error messages. No authentication is required for the information disclosure, but the attack complexity is low (AC:L). The attacker does not need to be on the same network segment; the vulnerability is exploitable over the network.

Impact

A successful exploit results in a low confidentiality impact (C:L) as the attacker gains sensitive technical information about the system. This information disclosure can then be used to conduct more targeted attacks against the system. There is no impact on integrity or availability (I:N/A:N). The CVSS base score is 2.7 [1].

Mitigation

IBM has not provided specific workarounds or mitigations for this vulnerability [1]. Users are advised to apply the latest version of IBM Guardium Data Encryption (GDE) for fixes. No EOL status or KEV listing is indicated in the available references.