CVE-2016-0318 - OpenCVE

Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0.1 before 6.0.1 iFix006 does not destroy a Session ID upon a logout action, which allows remote attackers to obtain access by leveraging an unattended workstation.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ibm	Jazz Reporting Service

Configuration 1 [-]

OR	cpe:2.3:a:ibm:jazz_reporting_service:6.0:::::::*
	cpe:2.3:a:ibm:jazz_reporting_service:6.0.1:::::::*

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg21983137	Patch Vendor Advisory
http://www.securityfocus.com/bid/92466

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2016-11-25T20:00:00

Updated: 2016-11-28T10:57:02

Reserved: 2015-12-08T00:00:00

Link: CVE-2016-0318

JSON object: View

NVD Information

Status : Analyzed

Published: 2016-11-25T20:59:03.703

Modified: 2016-11-29T00:02:22.257

Link: CVE-2016-0318

JSON object: View

Redhat Information

No data.

CWE

CWE-284

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:jazz_reporting_service:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "07DD3FB3-ABE3-4645-9AFB-429EA4EA818D", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:jazz_reporting_service:6.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "FF3780DD-9FAC-4850-AA83-DCA7D013FB3E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service 6.0 and 6.0.1 before 6.0.1 iFix006 does not destroy a Session ID upon a logout action, which allows remote attackers to obtain access by leveraging an unattended workstation."}, {"lang": "es", "value": "Lifecycle Query Engine (LQE) en IBM Jazz Reporting Service 6.0 y 6.0.1 en versiones anteriores a 6.0.1 iFix006 no destruye un ID de sesi\u00f3n en una acci\u00f3n de cierre de sesi\u00f3n, lo que permite a atacantes remotos obtener acceso aprovechando una estaci\u00f3n de trabajo desatendida."}], "id": "CVE-2016-0318", "lastModified": "2016-11-29T00:02:22.257", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-11-25T20:59:03.703", "references": [{"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21983137"}, {"source": "psirt@us.ibm.com", "url": "http://www.securityfocus.com/bid/92466"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}