CVE-2014-6194

Current Description

Directory traversal vulnerability in an unspecified web form in IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5.0 before 7.5.0.6 IFIX007, Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allows remote authenticated users to read arbitrary files via a .. (dot dot) in a pathname.

Basic Data

PublishedFebruary 17, 2015
Last ModifiedSeptember 08, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-22
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.0
SeverityMEDIUM
Exploitability Score8.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationIbmChange And Configuration Management Database7.1*******
    2.3ApplicationIbmChange And Configuration Management Database7.2*******
    2.3ApplicationIbmMaximo Asset Management7.1*******
    2.3ApplicationIbmMaximo Asset Management7.1.1*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.1*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.2*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.5*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.6*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.7*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.8*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.9*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.10*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.11*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.12*******
    2.3ApplicationIbmMaximo Asset Management7.1.1.13*******
    2.3ApplicationIbmMaximo Asset Management7.1.2*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.0*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.1*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.2*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.3*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.4*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.5*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.6*******
    2.3ApplicationIbmMaximo Asset Management7.5.0.10*******
    2.3ApplicationIbmMaximo Asset Management Essentials7.1*******
    2.3ApplicationIbmMaximo Asset Management Essentials7.5.0.0*******
    2.3ApplicationIbmMaximo For Government7.1*******
    2.3ApplicationIbmMaximo For Government7.5.0.0*******
    2.3ApplicationIbmMaximo For Life Sciences7.1*******
    2.3ApplicationIbmMaximo For Life Sciences7.5.0.0*******
    2.3ApplicationIbmMaximo For Nuclear Power7.1*******
    2.3ApplicationIbmMaximo For Nuclear Power7.5.0.0*******
    2.3ApplicationIbmMaximo For Oil And Gas7.1*******
    2.3ApplicationIbmMaximo For Oil And Gas7.5.0.0*******
    2.3ApplicationIbmMaximo For Transportation7.1*******
    2.3ApplicationIbmMaximo For Transportation7.5.0.0*******
    2.3ApplicationIbmMaximo For Utilities7.1*******
    2.3ApplicationIbmMaximo For Utilities7.5.0.0*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.0.1*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.0.2*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.0.3*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.0.5*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.1.0*******
    2.3ApplicationIbmSmartcloud Control Desk7.5.1.1*******
    2.3ApplicationIbmTivoli Asset Management For It7.1*******
    2.3ApplicationIbmTivoli Asset Management For It7.2*******
    2.3ApplicationIbmTivoli Service Request Manager7.1*******
    2.3ApplicationIbmTivoli Service Request Manager7.2*******

Vulnerable Software List

VendorProductVersions
Ibm Smartcloud Control Desk 7.5.0.1, 7.5.0.2, 7.5.0.3, 7.5.0.5, 7.5.1.0, 7.5.1.1
Ibm Tivoli Service Request Manager 7.1, 7.2
Ibm Maximo Asset Management 7.1, 7.1.1, 7.1.1.1, 7.1.1.10, 7.1.1.11, 7.1.1.12, 7.1.1.13, 7.1.1.2, 7.1.1.5, 7.1.1.6, 7.1.1.7, 7.1.1.8, 7.1.1.9, 7.1.2, 7.5.0.0, 7.5.0.1, 7.5.0.10, 7.5.0.2, 7.5.0.3, 7.5.0.4, 7.5.0.5, 7.5.0.6
Ibm Maximo Asset Management Essentials 7.1, 7.5.0.0
Ibm Maximo For Government 7.1, 7.5.0.0
Ibm Maximo For Life Sciences 7.1, 7.5.0.0
Ibm Tivoli Asset Management For It 7.1, 7.2
Ibm Maximo For Nuclear Power 7.1, 7.5.0.0
Ibm Maximo For Oil And Gas 7.1, 7.5.0.0
Ibm Maximo For Transportation 7.1, 7.5.0.0
Ibm Maximo For Utilities 7.1, 7.5.0.0
Ibm Change And Configuration Management Database 7.1, 7.2

References

NameSourceURLTags
http://www-01.ibm.com/support/docview.wss?uid=swg21694035http://www-01.ibm.com/support/docview.wss?uid=swg21694035CONFIRMPATCH Vendor Advisory
ibm-maximo-cve20146194-dir-traversal(98605)https://exchange.xforce.ibmcloud.com/vulnerabilities/98605XF