Vulnerability CVE-2018-1749

Vulnerability Name:

CVE-2018-1749 (CCN-148484)

Assigned:

2017-12-13

Published:

2018-10-04

Updated:

2020-08-24

Summary:

IBM Tivoli Key Lifecycle Manager 2.6, 2.7, and 3.0 uses incomplete blacklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity. IBM X-Force ID: 148484.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2018-1749

Source: CCN
Type: IBM Security Bulletin 733303 (Security Key Lifecycle Manager)
IBM Security Key Lifecycle Manager is vulnerable to Hazardous Input Validation ( CVE-2018-1749)

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=ibm10733303

Source: XF
Type: UNKNOWN
ibm-tivoli-cve20181749-sec-bypass(148484)

Source: XF
Type: VDB Entry, Vendor Advisory
ibm-tivoli-cve20181749-sec-bypass(148484)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:security_key_lifecycle_manager:*:*:*:*:*:*:*:* (Version >= 2.6.0 and <= 2.6.0.4)

OR cpe:/a:ibm:security_key_lifecycle_manager:*:*:*:*:*:*:*:* (Version >= 2.7.0 and <= 2.7.0.3)

OR cpe:/a:ibm:security_key_lifecycle_manager:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.0.0.1)

Configuration CCN 1:

cpe:/a:ibm:security_key_lifecycle_manager:3.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK