CVE-2019-4173

IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could allow a remote attacker to obtain sensitive information, caused by a flaw in the HTTP OPTIONS method, aka Optionsbleed. By sending an OPTIONS HTTP request, a remote attacker could exploit this vulnerability to read secret data from process memory and obtain sensitive information. IBM X-Force ID: 158878.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.ibm.com/support/docview.wss?uid=ibm10886913	Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/158878	VDB Entry Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:cognos_controller:10.2.0:::::::*
	cpe:2.3:a:ibm:cognos_controller:10.2.1:::::::*
	cpe:2.3:a:ibm:cognos_controller:10.3.0:::::::*
	cpe:2.3:a:ibm:cognos_controller:10.3.1:::::::*
	cpe:2.3:a:ibm:cognos_controller:10.4.0:::::::*

History

No history.

Information

Published : 2019-06-17 15:15

Updated : 2024-02-04 20:20

NVD link : CVE-2019-4173

Mitre link : CVE-2019-4173

CVE.ORG link : CVE-2019-4173

JSON object : View

Products Affected

ibm

cognos_controller

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2019-4173", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-06-17T15:15:12.520", "references": [{"url": "http://www.ibm.com/support/docview.wss?uid=ibm10886913", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158878", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1, and 10.4.0 could allow a remote attacker to obtain sensitive information, caused by a flaw in the HTTP OPTIONS method, aka Optionsbleed. By sending an OPTIONS HTTP request, a remote attacker could exploit this vulnerability to read secret data from process memory and obtain sensitive information. IBM X-Force ID: 158878."}, {"lang": "es", "value": "IBM Cognos Controller 10.2.0, 10.2.1, 10.3.0, 10.3.1 y 10.4.0 podr\u00eda permitirle a un atacante remoto obtener informaci\u00f3n confidencial, causada por un fallo en el m\u00e9todo de HTTP OPTIONS, tambi\u00e9n conocido como Opcionesbleed. Al enviar una solicitud HTTP OPTIONS, un atacante remoto podr\u00eda aprovechar esta vulnerabilidad para leer datos secretos de la memoria de proceso y obtener informaci\u00f3n confidencial. ID de IBM X-Force: 158878."}], "lastModified": "2023-02-03T20:41:09.010", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:cognos_controller:10.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5E51AA2-19DE-4FC5-A126-ACA169942521"}, {"criteria": "cpe:2.3:a:ibm:cognos_controller:10.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A39451D-1A06-4082-99E9-C86DBA797050"}, {"criteria": "cpe:2.3:a:ibm:cognos_controller:10.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B9021EE-6BDF-4722-A7EA-E984A21684A7"}, {"criteria": "cpe:2.3:a:ibm:cognos_controller:10.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F544128B-455B-4485-A98F-4DB751925B36"}, {"criteria": "cpe:2.3:a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8284ECE5-3938-47B2-99B6-6D3B9ECB8C82"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}