Vulnerability CVE-2018-1464


Published: 2018-05-17

Description:
IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) could allow an authenticated user to obtain sensitive information that they should not have authorization to read. IBM X-Force ID: 140395.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
IBM Flashsystem / Storwize CSRF / Arbitrary File Read / Information Disclosure
Jan Bee
15.05.2018

Type:

CWE-200

(Information Exposure)

Vendor: IBM
Product: Storwize v9000 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Spectrum virtualize for public cloud software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Storwize v7000 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Storwize v5000 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD
Product: Storwize v3700 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
7.8.0.1
See more versions on NVD
Product: Storwize v3500 software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
7.8.0.1
See more versions on NVD
Product: Spectrum virtualize software 
Version:
8.1.1.2
8.1.1.1
8.1.1.0
8.1.0.2
8.1.0.1
8.1.0.0
7.8.1.6
7.8.1.5
7.8.1.4
7.8.1.3
7.8.1.2
7.8.1.1
7.8.1.0
7.8.0.2
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.ibm.com/support/docview.wss?uid=ssg1S1012263
http://www.ibm.com/support/docview.wss?uid=ssg1S1012282
http://www.ibm.com/support/docview.wss?uid=ssg1S1012283
http://www.securityfocus.com/bid/104349
https://exchange.xforce.ibmcloud.com/vulnerabilities/140395

Related CVE
CVE-2018-1547
IBM Robotic Process Automation with Automation Anywhere 10.0 could allow a remote attacker to execute arbitrary code on the system, caused by improper output encoding in an CSV export. By persuading a victim to download the CSV export, to open it in ...
CVE-2018-1514
IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 1416...
CVE-2017-1476
IBM Security Access Manager Appliance 7.0.0, 8.0.0 through 8.0.1.6, and 9.0.0 through 9.0.3.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could ex...
CVE-2017-1474
IBM Security Access Manager Appliance 7.0.0, 8.0.0 through 8.0.1.6, and 9.0.0 through 9.0.3.1 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 128606.
CVE-2018-1496
IBM Content Navigator 2.0.3, 3.0.0, 3.0.1, 3.0.2, and 3.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to creden...
CVE-2018-1495
IBM FlashSystem V840 and V900 products could allow an authenticated attacker with specialized access to overwrite arbitrary files which could cause a denial of service. IBM X-Force ID: 141148.
CVE-2018-1376
IBM Security Guardium Big Data Intelligence (SonarG) 3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentia...
CVE-2018-1375
IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known t...

Copyright 2018, cxsecurity.com

 

Back to Top