CVE-2006-3861

IBM Informix Dynamic Server (IDS) before 9.40.xC7 and 10.00 before 10.00.xC3 does not use database creation permissions, which allows remote authenticated users to create arbitrary databases.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/21301	Patch Vendor Advisory
http://www-1.ibm.com/support/docview.wss?uid=swg21242921	Patch
http://www.databasesecurity.com/informix/DatabaseHackersHandbook-AttackingInformix.pdf
http://www.osvdb.org/27692
http://www.securityfocus.com/archive/1/443133/100/0/threaded
http://www.securityfocus.com/archive/1/443192/100/0/threaded
http://www.securityfocus.com/bid/19264	Patch
http://www.vupen.com/english/advisories/2006/3077
https://exchange.xforce.ibmcloud.com/vulnerabilities/28148

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:informix_dynamic_server:7.31:::::::*
	cpe:2.3:a:ibm:informix_dynamic_server:9.4:::::::*
	cpe:2.3:a:ibm:informix_dynamic_server:9.40.tc5:::::::*
	cpe:2.3:a:ibm:informix_dynamic_server:9.40.uc1:::::::*
	cpe:2.3:a:ibm:informix_dynamic_server:9.40.uc2:::::::*
	cpe:2.3:a:ibm:informix_dynamic_server:9.40.uc3:::::::*
	cpe:2.3:a:ibm:informix_dynamic_server:9.40.uc5:::::::*
	cpe:2.3:a:ibm:informix_dynamic_server:9.40.xc5:::::::*
	cpe:2.3:a:ibm:informix_dynamic_server:10.0:::::::*
	cpe:2.3:a:ibm:informix_dynamic_server:10.0.xc1:::::::*

History

No history.

Information

Published : 2006-08-08 22:04

Updated : 2024-02-28 10:42

NVD link : CVE-2006-3861

Mitre link : CVE-2006-3861

CVE.ORG link : CVE-2006-3861

JSON object : View

Products Affected

ibm

informix_dynamic_server

CWE

NVD-CWE-Other

{"id": "CVE-2006-3861", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2006-08-08T22:04:00.000", "references": [{"url": "http://secunia.com/advisories/21301", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www-1.ibm.com/support/docview.wss?uid=swg21242921", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.databasesecurity.com/informix/DatabaseHackersHandbook-AttackingInformix.pdf", "source": "cve@mitre.org"}, {"url": "http://www.osvdb.org/27692", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/443133/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/443192/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/19264", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2006/3077", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28148", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "IBM Informix Dynamic Server (IDS) before 9.40.xC7 and 10.00 before 10.00.xC3 does not use database creation permissions, which allows remote authenticated users to create arbitrary databases."}, {"lang": "es", "value": "IBM Informix Dynamic Server (IDS) anterior a 9.40.xC7 y 10.00 anterior a 10.00.xC3 no utiliza permisos de creaci\u00f3n de bases de datos, lo cual permite a usuarios autenticados remotamente crear bases de datos de su elecci\u00f3n."}], "lastModified": "2018-10-17T21:32:02.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:informix_dynamic_server:7.31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45A93A4B-8AB8-4BC7-9253-8DDA9D091C0A"}, {"criteria": "cpe:2.3:a:ibm:informix_dynamic_server:9.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58A9F81C-C618-435D-9912-0E61EAB02560"}, {"criteria": "cpe:2.3:a:ibm:informix_dynamic_server:9.40.tc5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE9B0C17-2D85-4729-85EF-2F5C750BF51B"}, {"criteria": "cpe:2.3:a:ibm:informix_dynamic_server:9.40.uc1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "910D9A17-43A7-4F9E-98E0-2C465AC8BD2F"}, {"criteria": "cpe:2.3:a:ibm:informix_dynamic_server:9.40.uc2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1E61711D-4C3E-4A6D-89A8-85B7CDD7FAE1"}, {"criteria": "cpe:2.3:a:ibm:informix_dynamic_server:9.40.uc3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2CD7B84-2861-4542-8A08-C668065C8DB4"}, {"criteria": "cpe:2.3:a:ibm:informix_dynamic_server:9.40.uc5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E64D85E2-AA7E-4704-A2FA-BD69744423CF"}, {"criteria": "cpe:2.3:a:ibm:informix_dynamic_server:9.40.xc5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21FF7CE7-A061-425B-A29B-1EC6DEDA2C10"}, {"criteria": "cpe:2.3:a:ibm:informix_dynamic_server:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1716E256-B186-442F-8C4C-9305E0953081"}, {"criteria": "cpe:2.3:a:ibm:informix_dynamic_server:10.0.xc1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5634CF97-CBD3-4CA3-8144-2F875FDD3FA4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org", "evaluatorSolution": "This vulnerability is addressed in the following product releases:\r\nIBM, Informix IDS, 9.40 xC7 \r\nIBM, Informix IDS, 10.00 xC3"}