PT-2014-2731 · Ibm · Maximo Service Desk+5

Publicado

2014-05-26

·

Atualizado

2017-08-29

·

CVE-2013-4016

CVSS v2.0

6.5

Média

VetorAV:N/AC:L/Au:S/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions IBM Maximo Asset Management versions 7.1.1 before 7.1.1.7 LAFIX.20140319-0837 IBM Maximo Asset Management versions 7.1.1.11 before IFIX.20140323-0749 IBM Maximo Asset Management versions 7.1.1.12 before IFIX.20140321-1336 IBM Maximo Asset Management versions 7.5.x before 7.5.0.3 IFIX027 IBM Maximo Asset Management versions 7.5.0.4 before IFIX011 IBM Maximo Asset Management versions 7.5.0.5 before IFIX006 SmartCloud Control Desk versions 7.x before 7.5.0.3 SmartCloud Control Desk versions 7.5.1.x before 7.5.1.2 Tivoli IT Asset Management for IT versions 7.x before 7.1.1.7 LAFIX.20140319-0837 Tivoli IT Asset Management for IT versions 7.1.1.11 before IFIX.20140207-1801 Tivoli IT Asset Management for IT versions 7.1.1.12 before IFIX.20140218-1510 Tivoli Service Request Manager versions 7.x before 7.1.1.7 LAFIX.20140319-0837 Tivoli Service Request Manager versions 7.1.1.11 before IFIX.20140207-1801 Tivoli Service Request Manager versions 7.1.1.12 before IFIX.20140218-1510 Maximo Service Desk versions 7.x before 7.1.1.7 LAFIX.20140319-0837 Maximo Service Desk versions 7.1.1.11 before IFIX.20140207-1801 Maximo Service Desk versions 7.1.1.12 before IFIX.20140218-1510 Change and Configuration Management Database (CCMDB) versions 7.x before 7.1.1.7 LAFIX.20140319-0837 Change and Configuration Management Database (CCMDB) versions 7.1.1.11 before IFIX.20140207-1801 Change and Configuration Management Database (CCMDB) versions 7.1.1.12 before IFIX.20140218-1510
Description The issue allows remote authenticated users to execute arbitrary SQL commands via a Birt report with a WHERE clause in plain text.
Recommendations For IBM Maximo Asset Management versions 7.1.1 before 7.1.1.7 LAFIX.20140319-0837, update to version 7.1.1.7 LAFIX.20140319-0837 or later. For IBM Maximo Asset Management versions 7.1.1.11 before IFIX.20140323-0749, update to version 7.1.1.11 IFIX.20140323-0749 or later. For IBM Maximo Asset Management versions 7.1.1.12 before IFIX.20140321-1336, update to version 7.1.1.12 IFIX.20140321-1336 or later. For IBM Maximo Asset Management versions 7.5.x before 7.5.0.3 IFIX027, update to version 7.5.0.3 IFIX027 or later. For IBM Maximo Asset Management versions 7.5.0.4 before IFIX011, update to version 7.5.0.4 IFIX011 or later. For IBM Maximo Asset Management versions 7.5.0.5 before IFIX006, update to version 7.5.0.5 IFIX006 or later. For SmartCloud Control Desk versions 7.x before 7.5.0.3, update to version 7.5.0.3 or later. For SmartCloud Control Desk versions 7.5.1.x before 7.5.1.2, update to version 7.5.1.2 or later. For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) versions 7.x before 7.1.1.7 LAFIX.20140319-0837, update to version 7.1.1.7 LAFIX.20140319-0837 or later. For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) versions 7.1.1.11 before IFIX.20140207-1801, update to version 7.1.1.11 IFIX.20140207-1801 or later. For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB) versions 7.1.1.12 before IFIX.20140218-1510, update to version 7.1.1.12 IFIX.20140218-1510 or later.

Correção

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

CVE-2013-4016

Produtos afetados

Change/Configuration Management Database
Ibm Maximo Asset Management
Maximo Service Desk
Smartcloud Control Desk
Tivoli Asset Management For It
Tivoli Service Request Manager