Vulnerability CVE-2018-1462


Published: 2018-05-17

Description:
IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) could allow an authenticated user to access system files they should not have access to including deleting files or causing a denial of service. IBM X-Force ID: 140363.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
IBM Flashsystem / Storwize CSRF / Arbitrary File Read / Information Disclosure
Jan Bee
15.05.2018

Type:

CWE-284

(Improper Access Control)

Vendor: IBM
Product: Spectrum virtualize for public cloud software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Storwize v9000 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Storwize v5000 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Storwize v7000 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Storwize v3700 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
7.8.0.1
See more versions on NVD
Product: Storwize v3500 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
7.8.0.1
See more versions on NVD
Product: Spectrum virtualize software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.ibm.com/support/docview.wss?uid=ssg1S1012263
http://www.ibm.com/support/docview.wss?uid=ssg1S1012282
http://www.ibm.com/support/docview.wss?uid=ssg1S1012283
http://www.securityfocus.com/bid/104349
https://exchange.xforce.ibmcloud.com/vulnerabilities/140363

Related CVE
CVE-2018-1757
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 could allow an attacker to obtain sensitive information due to missing authentication in IGI for the survey application. IBM X-Force ID: 148601.
CVE-2018-1756
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-For...
CVE-2018-1567
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024.
CVE-2017-1115
IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 121...
CVE-2017-1114
IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a tr...
CVE-2018-1513
IBM Sterling B2B Integrator Standard Edition 5.2.0 through 5.2.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to c...
CVE-2018-1503
IBM WebSphere MQ 7.5, 8.0, and 9.0 could allow a remotely authenticated attacker to to send invalid or malformed headers that could cause messages to no longer be transmitted via the affected channel. IBM X-Force ID: 141339.
CVE-2018-1587
IBM Rational Rhapsody Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 and IBM Rational Software Architect Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.1 could reveal technical error messages to allow an adversary to gain information ab...

Copyright 2018, cxsecurity.com

 

Back to Top