Spectrum Protect Server
by IBM
CVEs (89)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-8940 | Hig | 0.57 | 8.8 | 0.01 | Mar 7, 2017 | IBM Tivoli Storage Manager (IBM Spectrum Protect) 6.1, 6.2, 6.3, and 7.1 does not perform sufficient authority checking on SQL queries. As a result, an attacker is able to submit SQL queries that access database tables that are not intended for access or use by administrators.… | ||
| CVE-2025-3319 | Hig | 0.53 | 8.1 | 0.00 | Jun 20, 2025 | IBM Spectrum Protect Server 8.1 through 8.1.26 could allow attacker to bypass authentication due to improper session authentication which can result in access to unauthorized resources. | ||
| CVE-2021-39057 | Hig | 0.53 | 8.1 | 0.00 | Dec 13, 2021 | IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force… | ||
| CVE-2020-4703 | Hig | 0.52 | 8.0 | 0.02 | Sep 15, 2020 | IBM Spectrum Protect Plus 10.1.0 through 10.1.6 Administrative Console could allow an authenticated attacker to upload arbitrary files which could be execute arbitrary code on the vulnerable server. This vulnerability is due to an incomplete fix for CVE-2020-4470. IBM X-Force… | ||
| CVE-2020-4470 | Hig | 0.52 | 8.0 | 0.02 | Jun 15, 2020 | IBM Spectrum Protect Plus 10.1.0 through 10.1.5 Administrative Console could allow an authenticated attacker to upload arbitrary files which could be execute arbitrary code on the vulnerable server. IBM X-Force ID: 181725. | ||
| CVE-2019-4267 | Hig | 0.51 | 7.8 | 0.00 | Jul 22, 2019 | The IBM Spectrum Protect 7.1 and 8.1 Backup-Archive Client is vulnerable to a buffer overflow. This could allow execution of arbitrary code on the local system or the application to crash. IBM X-Force ID: 160200. | ||
| CVE-2019-4088 | Hig | 0.51 | 7.8 | 0.01 | Jul 2, 2019 | IBM Spectrum Protect Servers 7.1 and 8.1 and Storage Agents could allow a local attacker to gain elevated privileges on the system, caused by loading a specially crafted library loaded by the dsmqsan module. By setting up such a library, a local attacker could exploit this… | ||
| CVE-2017-1378 | Hig | 0.51 | 7.8 | 0.00 | Oct 5, 2017 | IBM Spectrum Protect 7.1 and 8.1 (formerly Tivoli Storage Manager) disclosed unencrypted login credentials to Vmware vCenter in the application trace output which could be obtained by a local user. IBM X-Force ID: 126875. | ||
| CVE-2022-40608 | Hig | 0.49 | 7.5 | 0.02 | Sep 19, 2022 | IBM Spectrum Protect Plus 10.1.6 through 10.1.11 Microsoft File Systems restore operation can download any file on the target machine by manipulating the URL with a directory traversal attack. This results in the restore operation gaining access to files which the operator… | ||
| CVE-2022-22474 | Hig | 0.49 | 7.5 | 0.01 | Jun 30, 2022 | IBM Spectrum Protect 8.1.0.0 through 8.1.14.0 dsmcad, dsmc, and dsmcsvc processes incorrectly handle certain read operations on TCP/IP sockets. This can result in a denial of service for IBM Spectrum Protect client operations. IBM X-Force ID: 225348. | ||
| CVE-2022-22396 | Hig | 0.49 | 7.5 | 0.01 | Jun 6, 2022 | Credentials are printed in clear text in the IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.3 virgo log file in certain cases. Credentials could be the remote vSnap, offload targets, or VADP credentials depending on the operation performed. Credentials that are using API key… | ||
| CVE-2022-22354 | Hig | 0.49 | 7.5 | 0.01 | Mar 14, 2022 | IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.2 and IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 do not limit the length of a connection which could allow for a Slowloris HTTP denial of service attack to take place. This can cause the Admin Console to become… | ||
| CVE-2021-29694 | Hig | 0.49 | 7.5 | 0.01 | Apr 26, 2021 | IBM Spectrum Protect Plus 10.1.0 through 10.1.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 200258. | ||
| CVE-2020-5023 | Hig | 0.49 | 7.5 | 0.02 | Feb 10, 2021 | IBM Spectrum Protect Plus 10.1.0 through 10.1.7 could allow a remote user to inject arbitrary data iwhich could cause the serivce to crash due to excess resource consumption. IBM X-Force ID: 193659. | ||
| CVE-2020-5018 | Hig | 0.49 | 7.5 | 0.01 | Jan 8, 2021 | IBM Spectrum Protect Plus 10.1.0 through 10.1.6 may include sensitive information in its URLs increasing the risk of such information being caputured by an attacker. IBM X-Force ID: 193654. | ||
| CVE-2020-4559 | Hig | 0.49 | 7.5 | 0.01 | Aug 28, 2020 | IBM Spectrum Protect 7.1 and 8.1 could allow an attacker to cause a denial of service due ti improper validation of user-supplied input. IBM X-Force ID: 183613. | ||
| CVE-2020-4494 | Hig | 0.49 | 7.5 | 0.02 | Jun 15, 2020 | IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows), 8.1.9.0 trough 8.1.9.1 (AIX) and IBM Spectrum Protect for Space Management 8.1.7.0 through 8.1.9.1 (Linux), 8.1.9.0 through 8.1.9.1 (AIX) web user interfaces could allow an attacker to bypass authentication… | ||
| CVE-2020-4214 | Hig | 0.49 | 7.5 | 0.02 | Mar 31, 2020 | IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to arbitrary delete a directory caused by improper validation of user-supplied input. IBM X-Force ID: 175026. | ||
| CVE-2018-1785 | Hig | 0.49 | 7.5 | 0.01 | Sep 26, 2018 | IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information. IBM X-Force ID: 148870. | ||
| CVE-2018-1545 | Hig | 0.49 | 7.5 | 0.01 | Sep 26, 2018 | IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 142649. |
- risk 0.57cvss 8.8epss 0.01
IBM Tivoli Storage Manager (IBM Spectrum Protect) 6.1, 6.2, 6.3, and 7.1 does not perform sufficient authority checking on SQL queries. As a result, an attacker is able to submit SQL queries that access database tables that are not intended for access or use by administrators.…
- risk 0.53cvss 8.1epss 0.00
IBM Spectrum Protect Server 8.1 through 8.1.26 could allow attacker to bypass authentication due to improper session authentication which can result in access to unauthorized resources.
- risk 0.53cvss 8.1epss 0.00
IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force…
- risk 0.52cvss 8.0epss 0.02
IBM Spectrum Protect Plus 10.1.0 through 10.1.6 Administrative Console could allow an authenticated attacker to upload arbitrary files which could be execute arbitrary code on the vulnerable server. This vulnerability is due to an incomplete fix for CVE-2020-4470. IBM X-Force…
- risk 0.52cvss 8.0epss 0.02
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 Administrative Console could allow an authenticated attacker to upload arbitrary files which could be execute arbitrary code on the vulnerable server. IBM X-Force ID: 181725.
- risk 0.51cvss 7.8epss 0.00
The IBM Spectrum Protect 7.1 and 8.1 Backup-Archive Client is vulnerable to a buffer overflow. This could allow execution of arbitrary code on the local system or the application to crash. IBM X-Force ID: 160200.
- risk 0.51cvss 7.8epss 0.01
IBM Spectrum Protect Servers 7.1 and 8.1 and Storage Agents could allow a local attacker to gain elevated privileges on the system, caused by loading a specially crafted library loaded by the dsmqsan module. By setting up such a library, a local attacker could exploit this…
- risk 0.51cvss 7.8epss 0.00
IBM Spectrum Protect 7.1 and 8.1 (formerly Tivoli Storage Manager) disclosed unencrypted login credentials to Vmware vCenter in the application trace output which could be obtained by a local user. IBM X-Force ID: 126875.
- risk 0.49cvss 7.5epss 0.02
IBM Spectrum Protect Plus 10.1.6 through 10.1.11 Microsoft File Systems restore operation can download any file on the target machine by manipulating the URL with a directory traversal attack. This results in the restore operation gaining access to files which the operator…
- risk 0.49cvss 7.5epss 0.01
IBM Spectrum Protect 8.1.0.0 through 8.1.14.0 dsmcad, dsmc, and dsmcsvc processes incorrectly handle certain read operations on TCP/IP sockets. This can result in a denial of service for IBM Spectrum Protect client operations. IBM X-Force ID: 225348.
- risk 0.49cvss 7.5epss 0.01
Credentials are printed in clear text in the IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.3 virgo log file in certain cases. Credentials could be the remote vSnap, offload targets, or VADP credentials depending on the operation performed. Credentials that are using API key…
- risk 0.49cvss 7.5epss 0.01
IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.2 and IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 do not limit the length of a connection which could allow for a Slowloris HTTP denial of service attack to take place. This can cause the Admin Console to become…
- risk 0.49cvss 7.5epss 0.01
IBM Spectrum Protect Plus 10.1.0 through 10.1.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 200258.
- risk 0.49cvss 7.5epss 0.02
IBM Spectrum Protect Plus 10.1.0 through 10.1.7 could allow a remote user to inject arbitrary data iwhich could cause the serivce to crash due to excess resource consumption. IBM X-Force ID: 193659.
- risk 0.49cvss 7.5epss 0.01
IBM Spectrum Protect Plus 10.1.0 through 10.1.6 may include sensitive information in its URLs increasing the risk of such information being caputured by an attacker. IBM X-Force ID: 193654.
- risk 0.49cvss 7.5epss 0.01
IBM Spectrum Protect 7.1 and 8.1 could allow an attacker to cause a denial of service due ti improper validation of user-supplied input. IBM X-Force ID: 183613.
- risk 0.49cvss 7.5epss 0.02
IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows), 8.1.9.0 trough 8.1.9.1 (AIX) and IBM Spectrum Protect for Space Management 8.1.7.0 through 8.1.9.1 (Linux), 8.1.9.0 through 8.1.9.1 (AIX) web user interfaces could allow an attacker to bypass authentication…
- risk 0.49cvss 7.5epss 0.02
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to arbitrary delete a directory caused by improper validation of user-supplied input. IBM X-Force ID: 175026.
- risk 0.49cvss 7.5epss 0.01
IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information. IBM X-Force ID: 148870.
- risk 0.49cvss 7.5epss 0.01
IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 142649.
Page 2 of 5