Vulnerability Name: CVE-2017-1731 (CCN-134912) Assigned: 2016-11-30 Published: 2018-01-29 Updated: 2019-10-03 Summary: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide weaker than expected security when using the Administrative Console. An authenticated remote attacker could exploit this vulnerability to possibly gain elevated privileges. CVSS v3 Severity: 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-noinfo Vulnerability Consequences: Gain Privileges References: Source: MITRECVE-2017-1731 Potential Privilege Escalation in WebSphere Application Server Admin Console http://www-01.ibm.com/support/docview.wss?uid=swg22012345&myns=swgws&mynp=OCSSEQTP&mync=R&cm_sp=swgws-_-OCSSEQTP-_-R Potential Privilege Escalation and Information disclosure affect IBM WebSphere Application Server in IBM Cloud (CVE-2017-1731, CVE-2017-1741) Vulnerability in IBM WebSphere Application Server Affects IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement (CVE-2017-1731) 102911 IBM WebSphere Application Server CVE-2017-1731 Remote Privilege Escalation Vulnerability 1040356 https://exchange.xforce.ibmcloud.com/vulnerabilities/134912 ibm-websphere-cve20171731-priv-escalation(134912) Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server Content Collector for Email affected by privilege escalation vulnerability in WebSphere Application Server Vulnerable Configuration: Configuration 1 :cpe:/a:ibm:websphere_application_server:*:*:*:*:*:*:*:* (Version >= 7.0.0.0 and <= 7.0.0.43)OR cpe:/a:ibm:websphere_application_server:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.0.0.14) OR cpe:/a:ibm:websphere_application_server:*:*:*:*:*:*:*:* (Version >= 8.5.0.0 and <= 8.5.5.13) OR cpe:/a:ibm:websphere_application_server:*:*:*:*:*:*:*:* (Version >= 9.0.0.0 and <= 9.0.0.6) Configuration CCN 1 :cpe:/a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.35:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.37:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.39:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.41:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.43:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.8:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.9:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.10:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.11:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.12:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.13:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.14:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.7:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.8:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.9:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.10:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.11:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.12:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:9.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:9.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:9.0.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:9.0.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:9.0.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:9.0.0.6:*:*:*:*:*:*:* AND cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:* OR cpe:/a:ibm:content_collector:3.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.2.3:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.2.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.2.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.2.3.3:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.2.3.4:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.2.3.5:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.3.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.3.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.3.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.3.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.3.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.3.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:emptoris_sourcing:*:*:*:*:*:*:*:* BACK
ibm websphere application server *
ibm websphere application server *
ibm websphere application server *
ibm websphere application server *
ibm websphere application server 9.0
ibm websphere application server 7.0.0.35
ibm websphere application server 7.0.0.37
ibm websphere application server 7.0.0.39
ibm websphere application server 7.0.0.41
ibm websphere application server 7.0.0.43
ibm websphere application server 8.0.0.4
ibm websphere application server 8.0.0.5
ibm websphere application server 8.0.0.6
ibm websphere application server 8.0.0.7
ibm websphere application server 8.0.0.8
ibm websphere application server 8.0.0.9
ibm websphere application server 8.0.0.10
ibm websphere application server 8.0.0.11
ibm websphere application server 8.0.0.12
ibm websphere application server 8.0.0.13
ibm websphere application server 8.0.0.14
ibm websphere application server 8.5.5.7
ibm websphere application server 8.5.5.8
ibm websphere application server 8.5.5.9
ibm websphere application server 8.5.5.10
ibm websphere application server 8.5.5.11
ibm websphere application server 8.5.5.12
ibm websphere application server 9.0.0.1
ibm websphere application server 9.0.0.2
ibm websphere application server 9.0.0.3
ibm websphere application server 9.0.0.4
ibm websphere application server 9.0.0.5
ibm websphere application server 9.0.0.6
ibm websphere application server 7.0
ibm websphere application server 8.0
ibm websphere application server 8.5
ibm content collector 3.0.0.0
ibm tivoli monitoring 6.2.3
ibm tivoli monitoring 6.2.3.1
ibm tivoli monitoring 6.2.3.2
ibm tivoli monitoring 6.2.3.3
ibm tivoli monitoring 6.2.3.4
ibm tivoli monitoring 6.2.3.5
ibm tivoli monitoring 6.3.0.2
ibm tivoli monitoring 6.3.0.3
ibm tivoli monitoring 6.3.0.4
ibm tivoli monitoring 6.3.0.5
ibm tivoli monitoring 6.3.0.6
ibm tivoli monitoring 6.3.0.7
ibm emptoris sourcing *
Denotes that component is vulnerable