CVE-2014-6158

Multiple directory traversal vulnerabilities in the file-upload feature in IBM PureApplication System 1.0 before 1.0.0.4 iFix 10, 1.1 before 1.1.0.5, and 2.0 before 2.0.0.1 and Workload Deployer 3.1.0.7 before IF5 allow remote authenticated users to execute arbitrary code via a (1) Script Package, (2) Add-On, or (3) Emergency Fixes component.

CVSS v2.0 9.0 HIGH

9.0^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://secunia.com/advisories/61956
http://secunia.com/advisories/62032
http://www-01.ibm.com/support/docview.wss?uid=swg21693292	Patch Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21693440	Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/97707
http://secunia.com/advisories/61956
http://secunia.com/advisories/62032
http://www-01.ibm.com/support/docview.wss?uid=swg21693292	Patch Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21693440	Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/97707

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:pureapplication_system:1.0.0.0:::::::*
	cpe:2.3:a:ibm:pureapplication_system:1.0.0.1:::::::*
	cpe:2.3:a:ibm:pureapplication_system:1.0.0.2:::::::*
	cpe:2.3:a:ibm:pureapplication_system:1.0.0.3:::::::*
	cpe:2.3:a:ibm:pureapplication_system:1.1.0.0:::::::*
	cpe:2.3:a:ibm:pureapplication_system:1.1.0.1:::::::*
	cpe:2.3:a:ibm:pureapplication_system:1.1.0.2:::::::*
	cpe:2.3:a:ibm:pureapplication_system:1.1.0.3:::::::*
	cpe:2.3:a:ibm:pureapplication_system:1.1.0.4:::::::*
	cpe:2.3:a:ibm:pureapplication_system:2.0.0.0:::::::*

Configuration 2 (hide)

cpe:2.3:a:ibm:workload_deployer:3.1.0.7:*:*:*:*:*:*:*

History

21 Nov 2024, 02:13

Type	Values Removed	Values Added
References	~~() http://secunia.com/advisories/61956 -~~	() http://secunia.com/advisories/61956 -
References	~~() http://secunia.com/advisories/62032 -~~	() http://secunia.com/advisories/62032 -
References	~~() http://www-01.ibm.com/support/docview.wss?uid=swg21693292 - Patch, Vendor Advisory~~	() http://www-01.ibm.com/support/docview.wss?uid=swg21693292 - Patch, Vendor Advisory
References	~~() http://www-01.ibm.com/support/docview.wss?uid=swg21693440 - Patch, Vendor Advisory~~	() http://www-01.ibm.com/support/docview.wss?uid=swg21693440 - Patch, Vendor Advisory
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/97707 -~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/97707 -

Information

Published : 2015-01-10 02:59

Updated : 2025-04-12 10:46

NVD link : CVE-2014-6158

Mitre link : CVE-2014-6158

CVE.ORG link : CVE-2014-6158

JSON object : View

Products Affected

ibm

pureapplication_system
workload_deployer

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2014-6158", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-01-10T02:59:26.380", "references": [{"url": "http://secunia.com/advisories/61956", "source": "psirt@us.ibm.com"}, {"url": "http://secunia.com/advisories/62032", "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21693292", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21693440", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97707", "source": "psirt@us.ibm.com"}, {"url": "http://secunia.com/advisories/61956", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/62032", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21693292", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21693440", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97707", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in the file-upload feature in IBM PureApplication System 1.0 before 1.0.0.4 iFix 10, 1.1 before 1.1.0.5, and 2.0 before 2.0.0.1 and Workload Deployer 3.1.0.7 before IF5 allow remote authenticated users to execute arbitrary code via a (1) Script Package, (2) Add-On, or (3) Emergency Fixes component."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades del salto de directorio en la caracteristica de la subida de ficheros en IBM PureApplication System 1.0 anterior a 1.0.0.4 iFix 10, 1.1 anterior a 1.1.0.5, y 2.0 anterior a 2.0.0.1 y Workload Deployer 3.1.0.7 anterior a IF5 permiten a usuarios remotos autenticados ejecutar c\u00f3digo arbitrario a trav\u00e9s de un componente (1) Script Package, (2) Add-On, o (3) Emergency Fixes."}], "lastModified": "2025-04-12T10:46:40.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:pureapplication_system:1.0.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D7AB60B-E38B-42C7-B785-D9520C1F5564"}, {"criteria": "cpe:2.3:a:ibm:pureapplication_system:1.0.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93F1E692-07AD-4694-A387-A27B35BA3C6E"}, {"criteria": "cpe:2.3:a:ibm:pureapplication_system:1.0.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62BDCFEF-A68F-45C3-83BA-A8414456D458"}, {"criteria": "cpe:2.3:a:ibm:pureapplication_system:1.0.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A88D35F2-FB42-4DED-B8FA-F0357CA97591"}, {"criteria": "cpe:2.3:a:ibm:pureapplication_system:1.1.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D657332-C9B9-4E7B-89D9-5AEF3501141A"}, {"criteria": "cpe:2.3:a:ibm:pureapplication_system:1.1.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E36D4ED9-CFF0-4196-A130-E0C47B69967F"}, {"criteria": "cpe:2.3:a:ibm:pureapplication_system:1.1.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0886278-57ED-4925-8FE4-B2873F1D9D7B"}, {"criteria": "cpe:2.3:a:ibm:pureapplication_system:1.1.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "95EC7D5B-53FA-463C-AAB9-C4AF7383B5DF"}, {"criteria": "cpe:2.3:a:ibm:pureapplication_system:1.1.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A583AB8-CF8F-4376-B72C-DD32F8A2A173"}, {"criteria": "cpe:2.3:a:ibm:pureapplication_system:2.0.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "575894EE-F13C-4D56-8B63-59A379F63BD2"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:workload_deployer:3.1.0.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3575BEC-4ECD-495D-AA26-ADE332DF3DF6"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}

9.0 /10