Vulnerability CVE-2018-1656


Published: 2018-08-20

Description:
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882.

Type:

CWE-22

(Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

Vendor: IBM
Product: Java sdk 
Version:
8.0.0.0
7.0.0.0
6.0.0.0
Product: SDK 
Version:
8.0
7.0
6.0
Vendor: Redhat
Product: Enterprise linux server 
Version: 7.0; 6.0;
Product: Enterprise linux workstation 
Version: 7.0; 6.0;
Product: Enterprise linux desktop 
Version: 7.0; 6.0;
Product: Satellite 
Version:
5.8
5.7
5.6
Vendor: Oracle
Product: Enterprise manager base platform 
Version: 13.3.0.0.0; 13.2.0.0.0;

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://www.ibm.com/support/docview.wss?uid=ibm10719653
http://www.securityfocus.com/bid/105118
http://www.securitytracker.com/id/1041765
https://access.redhat.com/errata/RHSA-2018:2568
https://access.redhat.com/errata/RHSA-2018:2569
https://access.redhat.com/errata/RHSA-2018:2575
https://access.redhat.com/errata/RHSA-2018:2576
https://access.redhat.com/errata/RHSA-2018:2712
https://access.redhat.com/errata/RHSA-2018:2713
https://exchange.xforce.ibmcloud.com/vulnerabilities/144882
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Related CVE
CVE-2010-4177
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.
CVE-2010-4178
MySQL-GUI-tools (mysql-administrator) leaks passwords into process list after with launch of mysql text console
CVE-2017-10010
Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: FileUploads). Supported versions that are affected are 2.0.0, 2.0.1, 2.2.0 and 12.0.1. Easily exploitable vulnerability allows low...
CVE-2017-10003
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Network Services Library). The supported version that is affected is 10. Difficult to exploit vulnerability allows low privileged attacker with logon to the in...
CVE-2017-10000
Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Reporting). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows low privileged a...
CVE-2019-2879
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols...
CVE-2019-2878
Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: HTTP data path subsystems). The supported version that is affected is 8.8.3. Easily exploitable vulnerability allows unauthenticated...
CVE-2019-2877
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logo...

Copyright 2019, cxsecurity.com

 

Back to Top