CVE-2014-6102

Current Description

IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5.0 before 7.5.0.6 IFIX008, Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products do not properly handle logout actions, which allows remote attackers to bypass intended Cognos BI Direct Integration access restrictions by leveraging an unattended workstation.

Evaluator Description

Per an IBM Security Bulletin IBM identifies access vector as local

Basic Data

PublishedFebruary 17, 2015
Last ModifiedSeptember 08, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-264
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:L/AC:L/Au:N/C:N/I:P/A:N
CVSS 2 - Access VectorLOCAL
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score2.1
SeverityLOW
Exploitability Score3.9
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationIbmChange And Configuration Management Database7.1*******
    2.3ApplicationIbmChange And Configuration Management Database7.2*******
    2.3ApplicationIbmMaximo Asset Management7.1*******
    2.3ApplicationIbmMaximo Asset Management7.1.1*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.1*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.2*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.5*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.6*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.7*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.8*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.9*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.10*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.11*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.12*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.13*******
    2.3ApplicationIbmMaximo Asset Management7.1.2*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.0*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.1*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.2*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.3*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.4*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.5*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.6*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.10*******
    2.3ApplicationIbmMaximo Asset Management Essentials7.1*******
    2.3ApplicationIbmMaximo Asset Management Essentials7.5.0.0*******
    2.3ApplicationIbmMaximo For Government7.1*******
    2.3ApplicationIbmMaximo For Government7.5.0.0*******
    2.3ApplicationIbmMaximo For Life Sciences7.1*******
    2.3ApplicationIbmMaximo For Life Sciences7.5.0.0*******
    2.3ApplicationIbmMaximo For Nuclear Power7.1*******
    2.3ApplicationIbmMaximo For Nuclear Power7.5.0.0*******
    2.3ApplicationIbmMaximo For Oil And Gas7.1*******
    2.3ApplicationIbmMaximo For Oil And Gas7.5.0.0*******
    2.3ApplicationIbmMaximo For Transportation7.1*******
    2.3ApplicationIbmMaximo For Transportation7.5.0.0*******
    2.3ApplicationIbmMaximo For Utilities7.1*******
    2.3ApplicationIbmMaximo For Utilities7.5.0.0*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.0.1*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.0.2*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.0.3*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.0.5*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.1.0*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.1.1*******
    2.3ApplicationIbmTivoli Asset Management For It7.1*******
    2.3ApplicationIbmTivoli Asset Management For It7.2*******
    2.3ApplicationIbmTivoli Service Request Manager7.1*******
    2.3ApplicationIbmTivoli Service Request Manager7.2*******

Vulnerable Software List

VendorProductVersions
Ibm Smartcloud Control Desk 7.5.0.1, 7.5.0.2, 7.5.0.3, 7.5.0.5, 7.5.1.0, 7.5.1.1
Ibm Tivoli Service Request Manager 7.1, 7.2
Ibm Maximo Asset Management 7.1, 7.1.1, 7.1.1.1, 7.1.1.10, 7.1.1.11, 7.1.1.12, 7.1.1.13, 7.1.1.2, 7.1.1.5, 7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.5.0.0, 7.5.0.1, 7.5.0.10, 7.5.0.2, 7.5.0.3, 7.5.0.4, 7.5.0.5, 7.5.0.6
Ibm Maximo Asset Management Essentials 7.1, 7.5.0.0
Ibm Maximo For Government 7.1, 7.5.0.0
Ibm Maximo For Life Sciences 7.1, 7.5.0.0
Ibm Tivoli Asset Management For It 7.1, 7.2
Ibm Maximo For Nuclear Power 7.1, 7.5.0.0
Ibm Maximo For Oil And Gas 7.1, 7.5.0.0
Ibm Maximo For Transportation 7.1, 7.5.0.0
Ibm Maximo For Utilities 7.1, 7.5.0.0
Ibm Change And Configuration Management Database 7.1, 7.2

References

NameSourceURLTags
http://www-01.ibm.com/support/docview.wss?uid=swg21695597http://www-01.ibm.com/support/docview.wss?uid=swg21695597CONFIRMPATCH Vendor Advisory
ibm-maximo-cve20146102-sec-bypass(96141)https://exchange.xforce.ibmcloud.com/vulnerabilities/96141XF