Vulnerability CVE-2018-1462


Published: 2018-05-17

Description:
IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) could allow an authenticated user to access system files they should not have access to including deleting files or causing a denial of service. IBM X-Force ID: 140363.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
IBM Flashsystem / Storwize CSRF / Arbitrary File Read / Information Disclosure
Jan Bee
15.05.2018

Type:

CWE-284

(Improper Access Control)

Vendor: IBM
Product: Spectrum virtualize for public cloud software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Storwize v9000 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Storwize v5000 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Storwize v7000 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Storwize v3700 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
7.8.0.1
See more versions on NVD
Product: Storwize v3500 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
7.8.0.1
See more versions on NVD
Product: Spectrum virtualize software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.ibm.com/support/docview.wss?uid=ssg1S1012263
http://www.ibm.com/support/docview.wss?uid=ssg1S1012282
http://www.ibm.com/support/docview.wss?uid=ssg1S1012283
http://www.securityfocus.com/bid/104349
https://exchange.xforce.ibmcloud.com/vulnerabilities/140363

Related CVE
CVE-2018-1729
IBM QRadar SIEM 7.3 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 147708.
CVE-2019-4203
IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal can be exploited by app developers to download arbitrary files from the host OS and potentially carry out SSRF attacks. IBM X-Force ID: 159124.
CVE-2019-4202
IBM API Connect 5.0.0.0 and 5.0.8.6 Developer Portal is vulnerable to command injection. An attacker with a specially crafted request can run arbitrary code on the server and gain complete access to the system. IBM X-Force ID: 159123.
CVE-2019-4178
IBM Cognos Analytics 11 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to write or view arbitrary files on the system. IBM X-Force ID: 158919.
CVE-2019-4012
IBM BigFix WebUI Profile Management 6 and Software Distribution 23 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-en...
CVE-2018-1925
IBM WebShere MQ 9.1.0.0, 9.1.0.1, 9.1.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 152925.
CVE-2019-4013
IBM BigFix Platform 9.5 could allow any authenticated user to upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges. IBM X-Force ID: 155887.
CVE-2018-1994
IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-F...

Copyright 2019, cxsecurity.com

 

Back to Top