CVE-2014-0946

The RES Console in Rule Execution Server in IBM Operational Decision Manager 7.5 before FP3 IF37, 8.0 before MP1 FP2, and 8.5 before MP1 IF26 does not send appropriate Cache-Control HTTP headers, which allows remote attackers to obtain sensitive information by leveraging an unattended workstation.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg21671324	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/92573

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:operational_decision_manager:7.5:::::::*
	cpe:2.3:a:ibm:operational_decision_manager:8.0:::::::*
	cpe:2.3:a:ibm:operational_decision_manager:8.5:::::::*

History

No history.

Information

Published : 2014-05-09 10:50

Updated : 2024-02-04 18:35

NVD link : CVE-2014-0946

Mitre link : CVE-2014-0946

CVE.ORG link : CVE-2014-0946

JSON object : View

Products Affected

ibm

operational_decision_manager

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2014-0946", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-05-09T10:50:25.397", "references": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21671324", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92573", "source": "psirt@us.ibm.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The RES Console in Rule Execution Server in IBM Operational Decision Manager 7.5 before FP3 IF37, 8.0 before MP1 FP2, and 8.5 before MP1 IF26 does not send appropriate Cache-Control HTTP headers, which allows remote attackers to obtain sensitive information by leveraging an unattended workstation."}, {"lang": "es", "value": "La consola RES en Rule Execution Server en IBM Operational Decision Manager 7.5 anterior a FP3 IF37, 8.0 anterior a MP1 FP2 y 8.5 anterior a MP1 IF26 no env\u00eda cabeceras HTTP de control de cach\u00e9 adecuadas, lo que permite a atacantes remotos obtener informaci\u00f3n sensible mediante el aprovechamiento de una estaci\u00f3n de trabajo desatendida."}], "lastModified": "2017-08-29T01:34:21.733", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:operational_decision_manager:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "000AB680-5E33-4986-A0F1-2CFF6DFF0ADE"}, {"criteria": "cpe:2.3:a:ibm:operational_decision_manager:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6E71B29-F33F-4892-BED4-F3F8DF662E55"}, {"criteria": "cpe:2.3:a:ibm:operational_decision_manager:8.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD81870D-A065-42B5-A87C-56A59FBCCDA2"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}