Vulnerability CVE-2013-4057 - CERT Civis.Net

Vulnerability Name:

CVE-2013-4057 (CCN-86546)

Assigned:

2013-06-07

Published:

2014-03-10

Updated:

2017-08-29

Summary:

Cross-site request forgery (CSRF) vulnerability in the XML Pack in IBM InfoSphere Information Server 8.5.x through 8.5 FP3, 8.7.x through 8.7 FP2, and 9.1.x through 9.1.2.0 allows remote attackers to hijack the authentication of arbitrary users.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2013-4057

Source: CCN
Type: SA57312
IBM InfoSphere Information Server Multiple Vulnerabilities

Source: AIXAPAR
Type: UNKNOWN
JR48815

Source: AIXAPAR
Type: UNKNOWN
JR49200

Source: AIXAPAR
Type: UNKNOWN
JR49206

Source: CCN
Type: IBM Security Bulletin 1666684
Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4057, CVE-2013-4058 and CVE-2013-4059)

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21666684

Source: CCN
Type: IBM Security Bulletin 1670298
Multiple security vulnerabilities exist in IBM InfoSphere Data Click 10.0 (CVE-2013-3034 CVE-2013-3040 CVE-2013-0599 CVE-2013-4057 CVE-2013-4058 CVE-2013-4059 CVE-2013-4066 CVE-2013-4067)

Source: CCN
Type: IBM Security Bulletin 1674448
In IBM InfoSphere Information Server, the Information Services Catalog interface is vulnerable to various web UI vulnerabilities (CVE-2013-3034, CVE-2013-4057, CVE-2013-4059, CVE-2012-4819)

Source: BID
Type: UNKNOWN
66154

Source: CCN
Type: BID-66154
IBM InfoSphere Information Server CVE-2013-4057 Cross Site Request Forgery Vulnerability

Source: XF
Type: UNKNOWN
ibm-infosphere-cve20134057-csrf(86546)

Source: XF
Type: UNKNOWN
ibm-infosphere-cve20134057-csrf(86546)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:infosphere_information_server:8.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:8.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:8.5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:8.5.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:8.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:8.7.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:8.7.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:9.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:9.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:9.1.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:infosphere_information_server:8.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:8.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:8.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:9.1:*:*:*:*:*:*:*

AND

cpe:/a:ibm:infosphere_information_server:8.0:*:*:*:*:*:*:*

Denotes that component is vulnerable