CVE-2021-39052

Vulnerability

IBM Spectrum Copy Data Management versions 2.2.13 and earlier contain a missing authentication vulnerability in the Spring Boot console [1]. The Spring Boot console, typically used for application monitoring and management, is exposed without proper access controls, allowing unauthenticated remote access.

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the Spring Boot console endpoints without any prior authentication [1]. The attack complexity is high (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L), meaning the attacker may need to overcome specific network conditions or timing, but no user interaction or privileges are required.

Impact

Successful exploitation allows the attacker to access the Spring Boot console, potentially leading to low-level information disclosure (e.g., application configuration, environment details), limited integrity impact (e.g., modifying certain settings), and limited availability impact (e.g., restarting services) [1]. The attack does not grant full system control.

Mitigation

IBM has not disclosed a specific fix version in the referenced advisory [1]. Users should upgrade to a version beyond 2.2.13 if available, or apply workarounds such as restricting network access to the Spring Boot console endpoints. Contact IBM support for the latest remediation guidance.