Vulnerability CVE-2016-2984


Published: 2016-11-24   Modified: 2016-11-25

Description:
IBM Spectrum Scale 4.1.1.x before 4.1.1.8 and 4.2.x before 4.2.0.4 and General Parallel File System (GPFS) 3.5.x before 3.5.0.32 and 4.1.x before 4.1.1.8 allow local users to gain privileges via crafted command-line parameters to a /usr/lpp/mmfs/bin/ setuid program.

Vendor: IBM
Product: Spectrum scale 
Version:
4.2.0.3
4.2.0.2
4.2.0.1
4.2.0.0
4.1.1.8
4.1.1.7
4.1.1.6
4.1.1.5
4.1.1.4
4.1.1.3
4.1.1.2
4.1.1.1
4.1.1.0
Product: General parallel file system 
Version:
4.1.0.8
4.1.0.7
4.1.0.6
4.1.0.5
4.1.0.4
4.1.0.3
4.1.0.2
4.1.0.1
4.1.0.0
3.5.0.9
3.5.0.8
3.5.0.7
3.5.0.6
3.5.0.5
3.5.0.4
3.5.0.31
3.5.0.30
3.5.0.3
3.5.0.29
3.5.0.28
3.5.0.27
3.5.0.26
3.5.0.25
3.5.0.24
3.5.0.23
3.5.0.22
3.5.0.21
3.5.0.20
3.5.0.2
3.5.0.19
3.5.0.18
3.5.0.17
3.5.0.16
3.5.0.15
3.5.0.14
3.5.0.13
3.5.0.12
3.5.0.11
3.5.0.10
3.5.0.1
3.5.0.0

CVSS2 => (AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.9/10
10/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1007994
http://www.securityfocus.com/bid/92410

Related CVE
CVE-2019-4385
IBM Spectrum Protect Plus 10.1.2 may display the vSnap CIFS password in the IBM Spectrum Protect Plus Joblog. This can result in an attacker gaining access to sensitive information as well as vSnap. IBM X-Force ID: 162173.
CVE-2019-4384
IBM Campaign 9.1.2 and 10.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 16217...
CVE-2019-4364
IBM Maximo Asset Management 7.6 is vulnerable to CSV injection, which could allow a remote authenticated attacker to execute arbirary commands on the system. IBM X-Force ID: 161680.
CVE-2019-4303
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a tr...
CVE-2017-1107
IBM Marketing Platform 9.1.0, 9.1.2, 10.0, and 10.1 exposes sensitive information in the headers that could be used by an authenticated attacker in further attacks against the system. IBM X-Force ID: 120906.
CVE-2019-4142
IBM Cloud Private 2.1.0, 3.1.0, 3.1.1, and 3.1.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158338.
CVE-2019-4177
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 158882.
CVE-2019-4176
IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could allow a remote attacker to bypass security restrictions, caused by an error related to insecure HTTP Methods. An attacker could exploit this vulnerability to gain access to the sy...

Copyright 2019, cxsecurity.com

 

Back to Top