CVE-2017-1440

IBM Emptoris Services Procurement 10.0.0.5 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server. IBM X-Force ID: 128105.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg22005550	Patch Vendor Advisory
http://www.securityfocus.com/bid/99542	Third Party Advisory VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/128105	VDB Entry Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.0:::::::*
	cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.1:::::::*
	cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.2:::::::*
	cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.3:::::::*
	cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.4:::::::*
	cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.5:::::::*
	cpe:2.3:a:ibm:emptoris_services_procurement:10.1.1.0:::::::*

History

No history.

Information

Published : 2017-08-30 21:29

Updated : 2024-02-28 16:04

NVD link : CVE-2017-1440

Mitre link : CVE-2017-1440

CVE.ORG link : CVE-2017-1440

JSON object : View

Products Affected

ibm

emptoris_services_procurement

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2017-1440", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2017-08-30T21:29:00.367", "references": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg22005550", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "http://www.securityfocus.com/bid/99542", "tags": ["Third Party Advisory", "VDB Entry"], "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/128105", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "IBM Emptoris Services Procurement 10.0.0.5 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server. IBM X-Force ID: 128105."}, {"lang": "es", "value": "IBM Emptoris Services Procurement 10.0.0.5 podr\u00eda permitir a un atacante remoto incluir archivos arbitrarios. Un atacante remoto podr\u00eda enviar una URL especialmente manipulada para especificar un archivo malicioso desde un sistema remoto, que podr\u00eda permitir al atacante ejecutar c\u00f3digo arbitrario en el servidor web vulnerable. IBM X-Force ID: 128105."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8C33906-5E82-4E6B-8366-DAF2D8E257C0"}, {"criteria": "cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "433B6F1E-A425-48AA-A122-A5C607B25BFC"}, {"criteria": "cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9178BB81-6C4E-4FE3-8C88-14FE4D93FEBE"}, {"criteria": "cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B126FA9F-D8F8-4089-A98B-E3E506685934"}, {"criteria": "cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D8A7113-0F4B-4E7A-AB03-C86794E54B6F"}, {"criteria": "cpe:2.3:a:ibm:emptoris_services_procurement:10.0.0.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C4C2602-FF2D-4D16-941E-96C45D563327"}, {"criteria": "cpe:2.3:a:ibm:emptoris_services_procurement:10.1.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F195668-2897-4365-98C7-1F969AEF0822"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}