Vulnerability CVE-2011-1390 - CERT Civis.Net

Vulnerability Name:

CVE-2011-1390 (CCN-71802)

Assigned:

2011-12-14

Published:

2011-12-14

Updated:

2017-08-17

Summary:

SQL injection vulnerability in the Maintenance tool in IBM Rational ClearQuest 7.1.1.x before 7.1.1.9, 7.1.2.x before 7.1.2.6, and 8.x before 8.0.0.2 allows remote attackers to execute arbitrary SQL commands by leveraging an error in the user-database upgrade feature.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Data Manipulation

References:

Source: MITRE
Type: CNA
CVE-2011-1390

Source: OSVDB
Type: UNKNOWN
81815

Source: CCN
Type: SA49093
IBM Rational ClearQuest SQL Injection Vulnerability

Source: SECUNIA
Type: UNKNOWN
49093

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21594717

Source: CCN
Type: IBM Security Bulletin 1594717
SQL Injection for IBM Rational ClearQuest Maintenance tool (CVE-2011-1390)

Source: CCN
Type: OSVDB ID: 81815
IBM Rational ClearQuest User Database Upgrading Unspecified SQL Injection

Source: BID
Type: UNKNOWN
53483

Source: CCN
Type: BID-53483
IBM Rational ClearQuest SQL Injection Vulnerability

Source: SECTRACK
Type: UNKNOWN
1027060

Source: XF
Type: UNKNOWN
rcq-maintenancetool-sql-injection(71802)

Source: XF
Type: UNKNOWN
rcq-maintenancetool-sql-injection(71802)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:rational_clearquest:7.1.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.1.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.1.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.1.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.1.8:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:ibm:rational_clearquest:7.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.2.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.2.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.2.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:7.1.2.5:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:ibm:rational_clearquest:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:8.0.0.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:rational_clearquest:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_clearquest:8.0:*:*:*:*:*:*:*

Denotes that component is vulnerable