CVE-2023-43040

IBM Spectrum Fusion HCI improper access control

CVSS 6.5 MEDIUMEPSS 2.5%CWE-1220

In short

IBM Spectrum Fusion HCI versions 2.5.2 to 2.7.2 have a flaw that allows attackers to access storage buckets they shouldn't have permission to use. This could let unauthorized users read, modify, or delete data stored in the system.

Technical detail

The vulnerability exists in the Ceph RGW (RADOS Gateway) bucket access control implementation within IBM Spectrum Fusion HCI. An attacker can bypass authorization checks to perform unauthorized operations on buckets, potentially affecting data confidentiality and integrity. The flaw affects versions 2.5.2 through 2.7.2 due to improper access control validation.

Summary generated and translated by AI from the official description.

IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access. IBM X-Force ID: 266807.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L

Affected products

IBM · Spectrum Fusion HCI

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/266807 https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html https://lists.debian.org/debian-lts-announce/2025/09/msg00025.html https://www.ibm.com/support/pages/node/7151040