cnvd - cnvd-2015-07939

CNVD-2015-07939

Vulnerability from cnvd - Published: 2015-12-07

Title

多款IBM产品安全绕过漏洞（CNVD-2015-07939）

Description

IBM Maximo Asset Management等都是美国IBM公司的产品。Maximo Asset Management和Maximo Asset Management Essentials都是综合性资产生命周期和维护管理解决方案。SmartCloud Control Desk（SCCD）是一套统一资产和服务管理软件，Tivoli IT Asset Management for IT是一套IT资产管理解决方案。Tivoli Service Request Manager是一套IT服务管理解决方案。Change and Configuration Management Database是一套用于自动发现企业的物理和应用程序基础设施的工具。多款IBM产品中存在安全漏洞。由于程序使用不正确的访问控制。攻击者可利用该漏洞读取查询结果，破坏数据的完整性。

Severity

高

Patch Name

多款IBM产品安全绕过漏洞（CNVD-2015-07939）的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： http://www-01.ibm.com/support/docview.wss?uid=swg21970797

Reference

https://www.ibm.com/support/docview.wss?uid=swg21970797 http://secunia.com/advisories/67624

Impacted products

Name
['IBM Maximo Asset Management Essentials 7.5', 'IBM SmartCloud Control Desk 7.5', 'IBM Maximo Asset Management 7.6', 'IBM Maximo Asset Management 7.5', 'IBM Maximo for Government 7.5', 'IBM Maximo for Nuclear Power 7.5', 'IBM Maximo for Transportation 7.5', 'IBM Maximo for Life Sciences 7.6', 'IBM Maximo for Life Sciences 7.5', 'IBM Maximo for Oil and Gas 7.5', 'IBM Maximo for Utilities 7.5', 'IBM SmartCloud Control Desk 7.6']

Name

['IBM Maximo Asset Management Essentials 7.5', 'IBM SmartCloud Control Desk 7.5', 'IBM Maximo Asset Management 7.6', 'IBM Maximo Asset Management 7.5', 'IBM Maximo for Government 7.5', 'IBM Maximo for Nuclear Power 7.5', 'IBM Maximo for Transportation 7.5', 'IBM Maximo for Life Sciences 7.6', 'IBM Maximo for Life Sciences 7.5', 'IBM Maximo for Oil and Gas 7.5', 'IBM Maximo for Utilities 7.5', 'IBM SmartCloud Control Desk 7.6']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-5051"
    }
  },
  "description": "IBM Maximo Asset Management\u7b49\u90fd\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4ea7\u54c1\u3002Maximo Asset Management\u548cMaximo Asset Management Essentials\u90fd\u662f\u7efc\u5408\u6027\u8d44\u4ea7\u751f\u547d\u5468\u671f\u548c\u7ef4\u62a4\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002SmartCloud Control Desk\uff08SCCD\uff09\u662f\u4e00\u5957\u7edf\u4e00\u8d44\u4ea7\u548c\u670d\u52a1\u7ba1\u7406\u8f6f\u4ef6\uff0cTivoli IT Asset Management for IT\u662f\u4e00\u5957IT\u8d44\u4ea7\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002Tivoli Service Request Manager\u662f\u4e00\u5957IT\u670d\u52a1\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002Change and Configuration Management Database\u662f\u4e00\u5957\u7528\u4e8e\u81ea\u52a8\u53d1\u73b0\u4f01\u4e1a\u7684\u7269\u7406\u548c\u5e94\u7528\u7a0b\u5e8f\u57fa\u7840\u8bbe\u65bd\u7684\u5de5\u5177\u3002\r\n\r\n\u591a\u6b3eIBM\u4ea7\u54c1\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u7531\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u4e0d\u6b63\u786e\u7684\u8bbf\u95ee\u63a7\u5236\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u67e5\u8be2\u7ed3\u679c\uff0c\u7834\u574f\u6570\u636e\u7684\u5b8c\u6574\u6027\u3002",
  "discovererName": "IBM",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://www-01.ibm.com/support/docview.wss?uid=swg21970797",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-07939",
  "openTime": "2015-12-07",
  "patchDescription": "IBM Maximo Asset Management\u7b49\u90fd\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4ea7\u54c1\u3002Maximo Asset Management\u548cMaximo Asset Management Essentials\u90fd\u662f\u7efc\u5408\u6027\u8d44\u4ea7\u751f\u547d\u5468\u671f\u548c\u7ef4\u62a4\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002SmartCloud Control Desk\uff08SCCD\uff09\u662f\u4e00\u5957\u7edf\u4e00\u8d44\u4ea7\u548c\u670d\u52a1\u7ba1\u7406\u8f6f\u4ef6\uff0cTivoli IT Asset Management for IT\u662f\u4e00\u5957IT\u8d44\u4ea7\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002Tivoli Service Request Manager\u662f\u4e00\u5957IT\u670d\u52a1\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002Change and Configuration Management Database\u662f\u4e00\u5957\u7528\u4e8e\u81ea\u52a8\u53d1\u73b0\u4f01\u4e1a\u7684\u7269\u7406\u548c\u5e94\u7528\u7a0b\u5e8f\u57fa\u7840\u8bbe\u65bd\u7684\u5de5\u5177\u3002\r\n\r\n\u591a\u6b3eIBM\u4ea7\u54c1\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u7531\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u4e0d\u6b63\u786e\u7684\u8bbf\u95ee\u63a7\u5236\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u67e5\u8be2\u7ed3\u679c\uff0c\u7834\u574f\u6570\u636e\u7684\u5b8c\u6574\u6027\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eIBM\u4ea7\u54c1\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2015-07939\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM Maximo Asset Management Essentials 7.5",
      "IBM SmartCloud Control Desk 7.5",
      "IBM Maximo Asset Management 7.6",
      "IBM Maximo Asset Management  7.5",
      "IBM Maximo for Government 7.5",
      "IBM Maximo for Nuclear Power 7.5",
      "IBM Maximo for Transportation 7.5",
      "IBM Maximo for Life Sciences 7.6",
      "IBM Maximo for Life Sciences 7.5",
      "IBM Maximo for Oil and Gas 7.5",
      "IBM Maximo for Utilities 7.5",
      "IBM SmartCloud Control Desk 7.6"
    ]
  },
  "referenceLink": "https://www.ibm.com/support/docview.wss?uid=swg21970797\r\nhttp://secunia.com/advisories/67624",
  "serverity": "\u9ad8",
  "submitTime": "2015-12-02",
  "title": "\u591a\u6b3eIBM\u4ea7\u54c1\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2015-07939\uff09"
}

CVE-2015-5051 (GCVE-0-2015-5051)

Vulnerability from cvelistv5 – Published: 2016-01-03 02:00 – Updated: 2024-08-06 06:32

Summary

IBM Maximo Asset Management 7.5 before 7.5.0.8 IF6 and 7.6 before 7.6.0.2 IF1 and Maximo Asset Management 7.5 before 7.5.0.8 IF6, 7.5.1, and 7.6 before 7.6.0.2 IF1 for SmartCloud Control Desk allow remote authenticated users to bypass intended access restrictions on query results via unspecified vectors.

Severity ?

No CVSS data available.

CWE

Assigner

ibm

References

URL

Tags

http://www-01.ibm.com/support/docview.wss?uid=swg…

x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:32:32.557Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21970797"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM Maximo Asset Management 7.5 before 7.5.0.8 IF6 and 7.6 before 7.6.0.2 IF1 and Maximo Asset Management 7.5 before 7.5.0.8 IF6, 7.5.1, and 7.6 before 7.6.0.2 IF1 for SmartCloud Control Desk allow remote authenticated users to bypass intended access restrictions on query results via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-01-03T04:57:01",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21970797"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "ID": "CVE-2015-5051",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM Maximo Asset Management 7.5 before 7.5.0.8 IF6 and 7.6 before 7.6.0.2 IF1 and Maximo Asset Management 7.5 before 7.5.0.8 IF6, 7.5.1, and 7.6 before 7.6.0.2 IF1 for SmartCloud Control Desk allow remote authenticated users to bypass intended access restrictions on query results via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www-01.ibm.com/support/docview.wss?uid=swg21970797",
              "refsource": "CONFIRM",
              "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21970797"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2015-5051",
    "datePublished": "2016-01-03T02:00:00",
    "dateReserved": "2015-06-24T00:00:00",
    "dateUpdated": "2024-08-06T06:32:32.557Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-07939

CVE-2015-5051 (GCVE-0-2015-5051)

Tags

Sightings

Nomenclature