CVE-2019-4138 - OpenCVE

IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 158334.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ibm	Spectrum Control

Configuration 1 [-]

OR	cpe:2.3:a:ibm:spectrum_control::::::::
	cpe:2.3:a:ibm:spectrum_control::::::::

References

Link	Resource
http://www.ibm.com/support/docview.wss?uid=ibm10880375	Patch Vendor Advisory
http://www.securityfocus.com/bid/108533
https://exchange.xforce.ibmcloud.com/vulnerabilities/158334	Vendor Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2019-05-23T00:00:00

Updated: 2019-06-03T06:06:02

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-4138

JSON object: View

NVD Information

Status : Modified

Published: 2019-05-29T15:29:00.547

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-4138

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"containers": {"cna": {"affected": [{"product": "Spectrum Control Standard Edition", "vendor": "IBM", "versions": [{"status": "affected", "version": "5.2.13"}, {"status": "affected", "version": "5.2.14"}, {"status": "affected", "version": "5.2.15"}, {"status": "affected", "version": "5.2.16"}, {"status": "affected", "version": "5.2.15.2"}, {"status": "affected", "version": "5.2.17.0"}, {"status": "affected", "version": "5.2.17.1"}, {"status": "affected", "version": "5.2.17.2"}, {"status": "affected", "version": "5.3.0.1"}, {"status": "affected", "version": "5.3.15.3.2"}]}], "datePublic": "2019-05-23T00:00:00", "descriptions": [{"lang": "en", "value": "IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 158334."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "NONE", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 5.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/S:U/UI:N/C:H/A:N/I:N/AC:H/PR:N/AV:N/E:U/RC:C/RL:O", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Obtain Information", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-03T06:06:02", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.ibm.com/support/docview.wss?uid=ibm10880375"}, {"name": "ibm-tivoli-cve20194138-info-disc (158334)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158334"}, {"name": "108533", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108533"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2019-05-23T00:00:00", "ID": "CVE-2019-4138", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spectrum Control Standard Edition", "version": {"version_data": [{"version_value": "5.2.13"}, {"version_value": "5.2.14"}, {"version_value": "5.2.15"}, {"version_value": "5.2.16"}, {"version_value": "5.2.15.2"}, {"version_value": "5.2.17.0"}, {"version_value": "5.2.17.1"}, {"version_value": "5.2.17.2"}, {"version_value": "5.3.0.1"}, {"version_value": "5.3.15.3.2"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 158334."}]}, "impact": {"cvssv3": {"BM": {"A": "N", "AC": "H", "AV": "N", "C": "H", "I": "N", "PR": "N", "S": "U", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Obtain Information"}]}]}, "references": {"reference_data": [{"name": "http://www.ibm.com/support/docview.wss?uid=ibm10880375", "refsource": "CONFIRM", "title": "IBM Security Bulletin 880375 (Spectrum Control Standard Edition)", "url": "http://www.ibm.com/support/docview.wss?uid=ibm10880375"}, {"name": "ibm-tivoli-cve20194138-info-disc (158334)", "refsource": "XF", "title": "X-Force Vulnerability Report", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158334"}, {"name": "108533", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108533"}]}}}}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2019-4138", "datePublished": "2019-05-23T00:00:00", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2019-06-03T06:06:02", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:spectrum_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "F33A9327-DBF9-4DC7-B08C-F44F16057171", "versionEndIncluding": "5.2.17.2", "versionStartIncluding": "5.2.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:spectrum_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "4F331B27-A478-4D4A-89C0-13DBF01B20A5", "versionEndIncluding": "5.3.2.0", "versionStartIncluding": "5.3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 158334."}, {"lang": "es", "value": "IBM Tivoli Storage Productivity Center versi\u00f3n 5.2.13 hasta 5.3.0.1, podr\u00eda permitir a un atacante remoto conseguir informaci\u00f3n confidencial, generada por el hecho de no habilitar apropiadamente HTTP Strict Transport Security. Un atacante podr\u00eda aprovechar esta vulnerabilidad para conseguir informaci\u00f3n confidencial utilizando t\u00e9cnicas de tipo \"man in the middle\". X-Force ID: 158334."}], "id": "CVE-2019-4138", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Secondary"}]}, "published": "2019-05-29T15:29:00.547", "references": [{"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.ibm.com/support/docview.wss?uid=ibm10880375"}, {"source": "psirt@us.ibm.com", "url": "http://www.securityfocus.com/bid/108533"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158334"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}