CVE-2015-7408
low
CVSS v3
3.7
CVSS v2
2.6
VIR risk
3.7
Description
The server in IBM Spectrum Protect (aka Tivoli Storage Manager) 5.5 and 6.x before 6.3.5.1 and 7.x before 7.1.4 does not properly restrict use of the ASNODENAME option, which allows remote attackers to read or write to backup data by leveraging proxy authority.
Predictions
Exploit likelihood
47%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg21975957
Vendor advisory: psirt@us.ibm.com — http://www-01.ibm.com/support/docview.wss?uid=swg1IT13609
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| ibm | tivoli_storage_manager | 5.5.0.0 | |
| ibm | tivoli_storage_manager | 6.1.0.0 | |
| ibm | tivoli_storage_manager | 6.2.0.0 | |
| ibm | tivoli_storage_manager | 6.3.3.0 | |
| ibm | tivoli_storage_manager | 6.3.4.0 | |
| ibm | tivoli_storage_manager | 6.3.5.0 | |
| ibm | tivoli_storage_manager | 7.1.0.0 | |
| ibm | tivoli_storage_manager | 7.1.0.1 | |
| ibm | tivoli_storage_manager | 7.1.0.2 | |
| ibm | tivoli_storage_manager | 7.1.0.3 | |
References
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.