Vulnerability CVE-2014-6194


Published: 2015-02-16   Modified: 2015-02-17

Description:
Directory traversal vulnerability in an unspecified web form in IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5.0 before 7.5.0.6 IFIX007, Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allows remote authenticated users to read arbitrary files via a .. (dot dot) in a pathname.

Vendor: IBM
Product: Smartcloud control desk 
Version:
7.5.1.1
7.5.1.0
7.5.0.5
7.5.0.3
7.5.0.2
7.5.0.1
Product: Maximo asset management 
Version:
7.5.0.6
7.5.0.5
7.5.0.4
7.5.0.3
7.5.0.2
7.5.0.10
7.5.0.1
7.5.0.0
7.1.2
7.1.1.9
7.1.1.8
7.1.1.7
7.1.1.6
7.1.1.5
7.1.1.2
7.1.1.13
7.1.1.12
7.1.1.11
7.1.1.10
7.1.1.1
7.1.1
7.1
Product: Maximo for utilities 
Version: 7.5.0.0; 7.1;
Product: Maximo for government 
Version: 7.5.0.0; 7.1;
Product: Maximo for life sciences 
Version: 7.5.0.0; 7.1;
Product: Maximo for nuclear power 
Version: 7.5.0.0; 7.1;
Product: Maximo for oil and gas 
Version: 7.5.0.0; 7.1;
Product: Maximo for transportation 
Version: 7.5.0.0; 7.1;
Product: Maximo asset management essentials 
Version: 7.5.0.0; 7.1;
Product: Change and configuration management database 
Version: 7.2; 7.1;
Product: Tivoli asset management for it 
Version: 7.2; 7.1;
Product: Tivoli service request manager 
Version: 7.2; 7.1;

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www-01.ibm.com/support/docview.wss?uid=swg21694035
https://exchange.xforce.ibmcloud.com/vulnerabilities/98605

Related CVE
CVE-2018-1565
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to overflow a buffer which may result in a privilege escalation to the DB2 instance owner. IBM X-Force ID: 143022.
CVE-2018-1544
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to overflow a buffer which may result in a privilege escalation to the DB2 instance owner. IBM X-Force ID: 142648.
CVE-2018-1515
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 and 11.1, under specific or unusual conditions, could allow a local user to overflow a buffer which may result in a privilege escalation to the DB2 instance owner. IBM X-Force ID:...
CVE-2018-1488
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 and 11.1 is vulnerable to a buffer overflow, which could allow an authenticated local attacker to execute arbitrary code on the system as root. IBM X-Force ID: 140973.
CVE-2018-1459
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 is vulnerable to stack based buffer overflow, caused by improper bounds checking which could lead an attacker to execute arbitrary code. IBM X-Force ID: 14021...
CVE-2018-1452
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. IBM X-Force ID: 140047.
CVE-2018-1451
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. IBM X-Force ID: 140046.
CVE-2018-1450
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability that could allow a local user to overwrite arbitrary files owned by the DB2 instance owner. IBM X-Force ID: 140045.

Copyright 2018, cxsecurity.com

 

Back to Top