CVE-2016-3020 - OpenCVE

IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 could allow a remote attacker to bypass security restrictions, caused by improper content validation. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to bypass validation and load a page with malicious content.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ibm	Security Access Manager For Web 8.0 Firmware Security Access Manager 9.0 Firmware Security Access Manager For Mobile Appliance Security Access Manager For Web Appliance Security Access Manager For Mobile Security Access Manager For Web 7.0 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ibm:security_access_manager_for_web_7.0_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ibm:security_access_manager_for_web_appliance:7.0:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:ibm:security_access_manager_for_web_8.0_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ibm:security_access_manager_for_web_appliance:8.0:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:a:ibm:security_access_manager_for_mobile:*:*:*:*:*:*:*:*

cpe:2.3:h:ibm:security_access_manager_for_mobile_appliance:8.0:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:ibm:security_access_manager_9.0_firmware:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.ibm.com/support/docview.wss?uid=swg21996826	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2017-02-07T16:00:00

Updated: 2017-02-07T15:57:01

Reserved: 2016-03-09T00:00:00

Link: CVE-2016-3020

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-02-07T16:59:00.150

Modified: 2020-10-27T11:37:18.613

Link: CVE-2016-3020

JSON object: View

Redhat Information

No data.

CWE

CWE-284

{"containers": {"cna": {"affected": [{"product": "Access Manager", "vendor": "IBM Corporation", "versions": [{"status": "affected", "version": "9.0"}, {"status": "affected", "version": "9.0.0.1"}, {"status": "affected", "version": "9.0.1"}, {"status": "affected", "version": "7.0.0"}, {"status": "affected", "version": "8.0.0"}, {"status": "affected", "version": "8.0.0.1"}, {"status": "affected", "version": "8.0.0.2"}, {"status": "affected", "version": "8.0.0.3"}, {"status": "affected", "version": "8.0.0.4"}, {"status": "affected", "version": "8.0.0.5"}, {"status": "affected", "version": "8.0.1"}, {"status": "affected", "version": "8.0.1.2"}, {"status": "affected", "version": "8.0.1.3"}, {"status": "affected", "version": "8.0.1.4"}, {"status": "affected", "version": "9.0.0"}, {"status": "affected", "version": "9.0.1.0"}, {"status": "affected", "version": "9.0.2.0"}]}], "datePublic": "2017-01-30T00:00:00", "descriptions": [{"lang": "en", "value": "IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 could allow a remote attacker to bypass security restrictions, caused by improper content validation. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to bypass validation and load a page with malicious content."}], "problemTypes": [{"descriptions": [{"description": "Bypass Security", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-07T15:57:01", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.ibm.com/support/docview.wss?uid=swg21996826"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "ID": "CVE-2016-3020", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Access Manager", "version": {"version_data": [{"version_value": "9.0"}, {"version_value": "9.0.0.1"}, {"version_value": "9.0.1"}, {"version_value": "7.0.0"}, {"version_value": "8.0.0"}, {"version_value": "8.0.0.1"}, {"version_value": "8.0.0.2"}, {"version_value": "8.0.0.3"}, {"version_value": "8.0.0.4"}, {"version_value": "8.0.0.5"}, {"version_value": "8.0.1"}, {"version_value": "8.0.1.2"}, {"version_value": "8.0.1.3"}, {"version_value": "8.0.1.4"}, {"version_value": "9.0.0"}, {"version_value": "9.0.1.0"}, {"version_value": "9.0.2.0"}]}}]}, "vendor_name": "IBM Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 could allow a remote attacker to bypass security restrictions, caused by improper content validation. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to bypass validation and load a page with malicious content."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Bypass Security"}]}]}, "references": {"reference_data": [{"name": "http://www.ibm.com/support/docview.wss?uid=swg21996826", "refsource": "CONFIRM", "url": "http://www.ibm.com/support/docview.wss?uid=swg21996826"}]}}}}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2016-3020", "datePublished": "2017-02-07T16:00:00", "dateReserved": "2016-03-09T00:00:00", "dateUpdated": "2017-02-07T15:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ibm:security_access_manager_for_web_7.0_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A5ACB34-BC23-4175-9F6A-91FB6762A040", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ibm:security_access_manager_for_web_appliance:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "A7844D23-8DAB-4A9A-B0D4-734DF8FBFE02", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ibm:security_access_manager_for_web_8.0_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "35BD8955-4735-4FDC-906A-B404C4E36417", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ibm:security_access_manager_for_web_appliance:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "1C5EBB4D-36F8-453C-9D2C-A63490144596", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:security_access_manager_for_mobile:*:*:*:*:*:*:*:*", "matchCriteriaId": "6921A2CC-67D0-41B5-908B-F002C14AFD70", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ibm:security_access_manager_for_mobile_appliance:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "506C4B29-BC71-4C56-BAB1-06E63BEB1DD3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ibm:security_access_manager_9.0_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5B95177-2AA3-45D4-895D-56CA35B32813", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 could allow a remote attacker to bypass security restrictions, caused by improper content validation. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to bypass validation and load a page with malicious content."}, {"lang": "es", "value": "IBM Security Access Manager para Web 7.0.0, 8.0.0 y 9.0.0 podr\u00eda permitir a un atacante remoto eludir las restricciones de seguridad, causada por la validaci\u00f3n del contenido indebido. Al persuadir a una v\u00edctima para abrir contenido especialmente manipulado, un atacante podr\u00eda aprovechar esta vulnerabilidad para eludir la validaci\u00f3n y cargar una p\u00e1gina con contenido malicioso."}], "id": "CVE-2016-3020", "lastModified": "2020-10-27T11:37:18.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-07T16:59:00.150", "references": [{"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.ibm.com/support/docview.wss?uid=swg21996826"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}