CVE-2022-2155

Name of the Vulnerable Software and Affected Versions Lumada APM on-premises versions 6.0.0.0 through 6.4.0.*

Description A vulnerability exists in Lumada APM's User Asset Group feature due to a flaw in access control mechanism implementation on the "Limited Engineer" role, granting it access to the embedded Power BI reports feature. An attacker that manages to exploit this issue could access unauthorized information by gaining unauthorized access to any Power BI reports installed by the customer. Furthermore, the issue enables an attacker to manipulate asset issue comments on assets, which should not be available to the attacker.

Recommendations For Lumada APM on-premises versions 6.0.0.0 through 6.4.0.*, consider restricting access to the "Limited Engineer" role until a patch is available. As a temporary workaround, limit access to the embedded Power BI reports feature and restrict the ability to manipulate asset issue comments on assets. At the moment, there is no information about a newer version that contains a fix for this issue.