Vulnerability Name:

CVE-2005-2454 (CCN-29660)

Assigned:2005-12-31
Published:2005-12-31
Updated:2018-10-19
Summary:IBM Lotus Notes 6.5.4 and 6.5.5, and 7.0.0 and 7.0.1, uses insecure default permissions (Everyone/Full Control) for the "Notes" folder and all children, which allows local users to gain privileges and modify, add, or delete files in that folder.
Update to version 7.0.2.
CVSS v3 Severity:5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-264
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: BugTraq Mailing List, Wed Oct 18 2006 - 10:39:12 CDT
Secunia Research: IBM Lotus Notes Insecure Default Folder Permissions

Source: MITRE
Type: CNA
CVE-2005-2454

Source: CCN
Type: SA19537
IBM Lotus Notes Insecure Default Directory Permissions

Source: SECUNIA
Type: Vendor Advisory
19537

Source: CCN
Type: SA27342
IBM Lotus Notes Insecure Default Directory Permissions

Source: SECUNIA
Type: Vendor Advisory
27342

Source: MISC
Type: Vendor Advisory
http://secunia.com/secunia_research/2005-29/advisory/

Source: CCN
Type: SECTRACK ID: 1017086
IBM Lotus Notes Lets Local Users Modify Critical Files

Source: SECTRACK
Type: UNKNOWN
1017086

Source: CCN
Type: IBM Web site
Secunia 19537: IBM Lotus Notes Insecure Default Permissions

Source: CONFIRM
Type: UNKNOWN
http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21246773

Source: CCN
Type: US-CERT VU#383092
IBM Lotus Notes sets insecure default permissions on program data

Source: CERT-VN
Type: US Government Resource
VU#383092

Source: OSVDB
Type: UNKNOWN
29761

Source: CCN
Type: OSVDB ID: 29761
IBM Lotus Notes Installation Default Permission Weakness

Source: BUGTRAQ
Type: UNKNOWN
20061018 Secunia Research: IBM Lotus Notes Insecure Default FolderPermissions

Source: BID
Type: UNKNOWN
20612

Source: CCN
Type: BID-20612
IBM Lotus Notes Local Insecure Default Directory Permissions Vulnerability

Source: CCN
Type: BID-25401
IBM Lotus Notes NTMulti.EXE Local Privilege Escalation Vulnerability

Source: VUPEN
Type: Vendor Advisory
ADV-2006-4093

Source: XF
Type: UNKNOWN
lotusnotes-directory-insecure-permission(29660)

Source: XF
Type: UNKNOWN
lotusnotes-directory-insecure-permission(29660)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:lotus_notes:6.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:6.5.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:7.0.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:lotus_notes:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:6.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:7.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_notes:6.5.5:*:*:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows_xp:::professional:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm lotus notes 6.5.4
    ibm lotus notes 6.5.5
    ibm lotus notes 7.0.0
    ibm lotus notes 7.0.1
    ibm lotus notes 7.0
    ibm lotus notes 6.5.4
    ibm lotus notes 7.0.1
    ibm lotus notes 6.5.5
    microsoft windows xp