CVE-2015-7408

The server in IBM Spectrum Protect (aka Tivoli Storage Manager) 5.5 and 6.x before 6.3.5.1 and 7.x before 7.1.4 does not properly restrict use of the ASNODENAME option, which allows remote attackers to read or write to backup data by leveraging proxy authority.

CVSS v3 3.7 LOW
CVSS v2.0 2.6 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.6^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:N/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg1IT13609	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21975957	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IT13609	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21975957	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:tivoli_storage_manager:5.5.0.0:::::::*
	cpe:2.3:a:ibm:tivoli_storage_manager:6.1.0.0:::::::*
	cpe:2.3:a:ibm:tivoli_storage_manager:6.2.0.0:::::::*
	cpe:2.3:a:ibm:tivoli_storage_manager:6.3.3.0:::::::*
	cpe:2.3:a:ibm:tivoli_storage_manager:6.3.4.0:::::::*
	cpe:2.3:a:ibm:tivoli_storage_manager:6.3.5.0:::::::*
	cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.0:::::::*
	cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.1:::::::*
	cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.2:::::::*
	cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.3:::::::*

History

21 Nov 2024, 02:36

Type	Values Removed	Values Added
References	~~() http://www-01.ibm.com/support/docview.wss?uid=swg1IT13609 - Vendor Advisory~~	() http://www-01.ibm.com/support/docview.wss?uid=swg1IT13609 - Vendor Advisory
References	~~() http://www-01.ibm.com/support/docview.wss?uid=swg21975957 - Vendor Advisory~~	() http://www-01.ibm.com/support/docview.wss?uid=swg21975957 - Vendor Advisory

Information

Published : 2016-02-15 02:59

Updated : 2024-11-21 02:36

NVD link : CVE-2015-7408

Mitre link : CVE-2015-7408

CVE.ORG link : CVE-2015-7408

JSON object : View

Products Affected

ibm

tivoli_storage_manager

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2015-7408", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.6, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2016-02-15T02:59:10.450", "references": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IT13609", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21975957", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IT13609", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21975957", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The server in IBM Spectrum Protect (aka Tivoli Storage Manager) 5.5 and 6.x before 6.3.5.1 and 7.x before 7.1.4 does not properly restrict use of the ASNODENAME option, which allows remote attackers to read or write to backup data by leveraging proxy authority."}, {"lang": "es", "value": "El servidor en IBM Spectrum Protect (tambi\u00e9n conocido como Tivoli Storage Manager) 5.5 y 6.x en versiones anteriores a 6.3.5.1 y 7.x en versiones anteriores a 7.1.4 no restringe adecuadamente el uso de la opci\u00f3n ASNODENAME, lo que permite a atacantes remotos leer o escribir en datos de copia de seguridad mediante el aprovechamiento de la autoridad proxy."}], "lastModified": "2024-11-21T02:36:44.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:tivoli_storage_manager:5.5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7176DF47-ECA5-4B7B-96E7-D1BE0C247E1A"}, {"criteria": "cpe:2.3:a:ibm:tivoli_storage_manager:6.1.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1454B08E-F417-4746-A8ED-E1C120DFEA98"}, {"criteria": "cpe:2.3:a:ibm:tivoli_storage_manager:6.2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "476EE4EA-A032-49EF-9A4C-37D8AD642130"}, {"criteria": "cpe:2.3:a:ibm:tivoli_storage_manager:6.3.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36868EC3-6E63-4309-AD58-F1AE83951FDD"}, {"criteria": "cpe:2.3:a:ibm:tivoli_storage_manager:6.3.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BC69F2F4-0DD3-4BD8-8591-F0BCD99FBD60"}, {"criteria": "cpe:2.3:a:ibm:tivoli_storage_manager:6.3.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09BD0061-3DB5-4479-8624-4242FB1AF42A"}, {"criteria": "cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5999622E-68F7-4273-BAB7-0B07DCB78163"}, {"criteria": "cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53CF0089-B81D-4738-85AC-E728DF77FBAF"}, {"criteria": "cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF39AAEE-2FC3-4ACC-AEF7-6E12EEEF0BCB"}, {"criteria": "cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C71F01C8-C1BB-4E93-8AE8-A1B5131310B8"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}

3.7 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.6 /10

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2015-7408

3.7^/10

2.6^/10

Attach tags to `CVE-2015-7408`