cnvd - cnvd-2015-00033

CNVD-2015-00033

Vulnerability from cnvd - Published: 2015-01-05

Title

IBM WebSphere Service Registry and Repository预期访问限制绕过漏洞

Description

IBM WebSphere Service Registry and Repository（WSRR）是美国IBM公司的一个用于服务交互端点描述的主元数据存储库，它提供了存储、访问和管理有关服务信息的功能，并且是SOA实现的关键组成部分。 IBM WSRR 8.5版本存在安全漏洞。由于程序使用Chrome和WebSEAL时，未能正确处理ServiceRegistryDashboard注销操作。远程攻击者可利用该漏洞绕过既定的访问限制。

Severity

低

Patch Name

IBM WebSphere Service Registry and Repository预期访问限制绕过漏洞的补丁

Patch Description

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： http://www-01.ibm.com/support/docview.wss?uid=swg1IV63498

Reference

http://www-01.ibm.com/support/docview.wss?uid=swg21693389

Impacted products

Name
IBM WebSphere Service Registry and Repository 8.5 - 8.5.0.1

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "71898"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2014-6160"
    }
  },
  "description": "IBM WebSphere Service Registry and Repository\uff08WSRR\uff09\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u4e2a\u7528\u4e8e\u670d\u52a1\u4ea4\u4e92\u7aef\u70b9\u63cf\u8ff0\u7684\u4e3b\u5143\u6570\u636e\u5b58\u50a8\u5e93\uff0c\u5b83\u63d0\u4f9b\u4e86\u5b58\u50a8\u3001\u8bbf\u95ee\u548c\u7ba1\u7406\u6709\u5173\u670d\u52a1\u4fe1\u606f\u7684\u529f\u80fd\uff0c\u5e76\u4e14\u662fSOA\u5b9e\u73b0\u7684\u5173\u952e\u7ec4\u6210\u90e8\u5206\u3002\r\n\r\nIBM WSRR 8.5\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u7531\u4e8e\u7a0b\u5e8f\u4f7f\u7528Chrome\u548cWebSEAL\u65f6\uff0c\u672a\u80fd\u6b63\u786e\u5904\u7406ServiceRegistryDashboard\u6ce8\u9500\u64cd\u4f5c\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u65e2\u5b9a\u7684\u8bbf\u95ee\u9650\u5236\u3002",
  "discovererName": "IBM",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://www-01.ibm.com/support/docview.wss?uid=swg1IV63498",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-00033",
  "openTime": "2015-01-05",
  "patchDescription": "IBM WebSphere Service Registry and Repository\uff08WSRR\uff09\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u4e2a\u7528\u4e8e\u670d\u52a1\u4ea4\u4e92\u7aef\u70b9\u63cf\u8ff0\u7684\u4e3b\u5143\u6570\u636e\u5b58\u50a8\u5e93\uff0c\u5b83\u63d0\u4f9b\u4e86\u5b58\u50a8\u3001\u8bbf\u95ee\u548c\u7ba1\u7406\u6709\u5173\u670d\u52a1\u4fe1\u606f\u7684\u529f\u80fd\uff0c\u5e76\u4e14\u662fSOA\u5b9e\u73b0\u7684\u5173\u952e\u7ec4\u6210\u90e8\u5206\u3002 \r\n\r\nIBM WSRR 8.5\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u7531\u4e8e\u7a0b\u5e8f\u4f7f\u7528Chrome\u548cWebSEAL\u65f6\uff0c\u672a\u80fd\u6b63\u786e\u5904\u7406ServiceRegistryDashboard\u6ce8\u9500\u64cd\u4f5c\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u65e2\u5b9a\u7684\u8bbf\u95ee\u9650\u5236\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM WebSphere Service Registry and Repository\u9884\u671f\u8bbf\u95ee\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "IBM WebSphere Service Registry and Repository 8.5 - 8.5.0.1"
  },
  "referenceLink": "http://www-01.ibm.com/support/docview.wss?uid=swg21693389",
  "serverity": "\u4f4e",
  "submitTime": "2015-01-04",
  "title": "IBM WebSphere Service Registry and Repository\u9884\u671f\u8bbf\u95ee\u9650\u5236\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2014-6160 (GCVE-0-2014-6160)

Vulnerability from cvelistv5 – Published: 2014-12-29 02:00 – Updated: 2024-08-06 12:10

Summary

IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

Severity ?

No CVSS data available.

CWE

Assigner

ibm

References

URL

Tags

	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF
	http://www-01.ibm.com/support/docview.wss?uid=swg…	x_refsource_CONFIRM
	http://www-01.ibm.com/support/docview.wss?uid=swg…	vendor-advisoryx_refsource_AIXAPAR

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T12:10:12.973Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "ibm-wsrr-cve20146160-logout(97709)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97709"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21693389"
          },
          {
            "name": "IV63498",
            "tags": [
              "vendor-advisory",
              "x_refsource_AIXAPAR",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IV63498"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-12-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-07T15:57:01",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "name": "ibm-wsrr-cve20146160-logout(97709)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97709"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21693389"
        },
        {
          "name": "IV63498",
          "tags": [
            "vendor-advisory",
            "x_refsource_AIXAPAR"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IV63498"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "ID": "CVE-2014-6160",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "ibm-wsrr-cve20146160-logout(97709)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/97709"
            },
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21693389",
              "refsource": "CONFIRM",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21693389"
            },
            {
              "name": "IV63498",
              "refsource": "AIXAPAR",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IV63498"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2014-6160",
    "datePublished": "2014-12-29T02:00:00",
    "dateReserved": "2014-09-02T00:00:00",
    "dateUpdated": "2024-08-06T12:10:12.973Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-00033

CVE-2014-6160 (GCVE-0-2014-6160)

Tags

Sightings

Nomenclature