CVE-2020-4623

IBM i2 iBase 8.9.13 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a DLL search order hijacking flaw. By using a specially-crafted .DLL file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 184984.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.4 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.6 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/184984	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6474857	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:ibm:i2_ibase:8.9.13:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

04 Aug 2021, 17:40

Type	Values Removed	Values Added
References	~~(CONFIRM) https://www.ibm.com/support/pages/node/6474857 -~~	(CONFIRM) https://www.ibm.com/support/pages/node/6474857 - Patch, Vendor Advisory
References	~~(XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/184984 -~~	(XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/184984 - VDB Entry, Vendor Advisory
CPE		cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:a:ibm:i2_ibase:8.9.13:::::::*
CWE		CWE-427
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.4 v3 : 6.5

26 Jul 2021, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-07-26 12:15

Updated : 2024-02-04 21:47

NVD link : CVE-2020-4623

Mitre link : CVE-2020-4623

CVE.ORG link : CVE-2020-4623

JSON object : View

Products Affected

microsoft

windows

ibm

i2_ibase

CWE

CWE-427

Uncontrolled Search Path Element

{"id": "CVE-2020-4623", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 7.7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.1}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.6}]}, "published": "2021-07-26T12:15:08.317", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184984", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/6474857", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-427"}]}], "descriptions": [{"lang": "en", "value": "IBM i2 iBase 8.9.13 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a DLL search order hijacking flaw. By using a specially-crafted .DLL file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 184984."}, {"lang": "es", "value": "IBM i2 iBase versi\u00f3n 8.9.13, podr\u00eda permitir a un atacante local autenticado ejecutar c\u00f3digo arbitrario en el sistema, causado por un fallo de secuestro del orden de b\u00fasqueda de la DLL. Al usar un archivo .DLL especialmente dise\u00f1ado, un atacante podr\u00eda explotar esta vulnerabilidad para ejecutar c\u00f3digo arbitrario en el sistema. IBM X-Force ID: 184984"}], "lastModified": "2021-08-04T17:40:03.613", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:i2_ibase:8.9.13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC25801D-B8EB-497D-AF2F-F52A3DD38C52"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@us.ibm.com"}