CVE-2013-3976 - OpenCVE

The (1) Data Protection for Exchange component 6.1 before 6.1.3.4 and 6.3 before 6.3.1 in IBM Tivoli Storage Manager for Mail and the (2) FlashCopy Manager for Exchange component 2.2 and 3.1 before 3.1.1 in IBM Tivoli Storage FlashCopy Manager do not properly constrain mailbox contents during certain PST restore operations, which allows remote authenticated users to read the personal e-mail of other users in opportunistic circumstances by launching an e-mail client after an administrator performs a multiple-mailbox restore.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:H/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Data Protection Flashcopy Manager Tivoli Storage Flashcopy Manager Tivoli Storage Manager For Mail

Configuration 1 [-]

OR	cpe:2.3:a:ibm:data_protection:6.1:::::exchange_server::
	cpe:2.3:a:ibm:data_protection:6.3:::::exchange_server::
	cpe:2.3:a:ibm:flashcopy_manager:2.1:::::exchange_server::
	cpe:2.3:a:ibm:flashcopy_manager:2.2:::::exchange_server::
	cpe:2.3:a:ibm:flashcopy_manager:3.1:::::exchange_server::
	cpe:2.3:a:ibm:tivoli_storage_flashcopy_manager:-:::::::*
	cpe:2.3:a:ibm:tivoli_storage_manager_for_mail:-:::::::*

No data.

References

Link	Providers
http://www-01.ibm.com/support/docview.wss?uid=swg1IC81223
http://www-01.ibm.com/support/docview.wss?uid=swg21644407
https://exchange.xforce.ibmcloud.com/vulnerabilities/84881

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2014-03-26T10:00:00

Updated: 2024-08-06T16:30:49.522Z

Reserved: 2013-06-07T00:00:00

Link: CVE-2013-3976

Vulnrichment

No data.

NVD

Status : Modified

Published: 2014-03-26T10:55:05.117

Modified: 2017-08-29T01:33:30.590

Link: CVE-2013-3976

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-07-19T00:00:00", "descriptions": [{"lang": "en", "value": "The (1) Data Protection for Exchange component 6.1 before 6.1.3.4 and 6.3 before 6.3.1 in IBM Tivoli Storage Manager for Mail and the (2) FlashCopy Manager for Exchange component 2.2 and 3.1 before 3.1.1 in IBM Tivoli Storage FlashCopy Manager do not properly constrain mailbox contents during certain PST restore operations, which allows remote authenticated users to read the personal e-mail of other users in opportunistic circumstances by launching an e-mail client after an administrator performs a multiple-mailbox restore."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"name": "IC81223", "tags": ["vendor-advisory", "x_refsource_AIXAPAR"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IC81223"}, {"name": "tsm-cve20133976-info-disclosure(84881)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84881"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644407"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "ID": "CVE-2013-3976", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The (1) Data Protection for Exchange component 6.1 before 6.1.3.4 and 6.3 before 6.3.1 in IBM Tivoli Storage Manager for Mail and the (2) FlashCopy Manager for Exchange component 2.2 and 3.1 before 3.1.1 in IBM Tivoli Storage FlashCopy Manager do not properly constrain mailbox contents during certain PST restore operations, which allows remote authenticated users to read the personal e-mail of other users in opportunistic circumstances by launching an e-mail client after an administrator performs a multiple-mailbox restore."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "IC81223", "refsource": "AIXAPAR", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IC81223"}, {"name": "tsm-cve20133976-info-disclosure(84881)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84881"}, {"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21644407", "refsource": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644407"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:30:49.522Z"}, "title": "CVE Program Container", "references": [{"name": "IC81223", "tags": ["vendor-advisory", "x_refsource_AIXAPAR", "x_transferred"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IC81223"}, {"name": "tsm-cve20133976-info-disclosure(84881)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84881"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644407"}]}]}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2013-3976", "datePublished": "2014-03-26T10:00:00", "dateReserved": "2013-06-07T00:00:00", "dateUpdated": "2024-08-06T16:30:49.522Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:data_protection:6.1:*:*:*:*:exchange_server:*:*", "matchCriteriaId": "D695A61E-C8B4-42E1-AB44-8FD23B25488A", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:data_protection:6.3:*:*:*:*:exchange_server:*:*", "matchCriteriaId": "CC59ADD5-61EF-46F6-880D-4FBA867EF7F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:flashcopy_manager:2.1:*:*:*:*:exchange_server:*:*", "matchCriteriaId": "807F1BE8-11D8-4EB0-9103-FF3F71EBEC33", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:flashcopy_manager:2.2:*:*:*:*:exchange_server:*:*", "matchCriteriaId": "4EF103FA-13A4-4D30-AA33-29F6E9D6B45C", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:flashcopy_manager:3.1:*:*:*:*:exchange_server:*:*", "matchCriteriaId": "FC44BC47-D3D9-456A-9AB0-263E7CAB1675", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:tivoli_storage_flashcopy_manager:-:*:*:*:*:*:*:*", "matchCriteriaId": "BE00269E-A50F-4384-BA4C-D13ED514BB8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:tivoli_storage_manager_for_mail:-:*:*:*:*:*:*:*", "matchCriteriaId": "32E6682D-02F1-42AD-BED7-7D08A9024122", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The (1) Data Protection for Exchange component 6.1 before 6.1.3.4 and 6.3 before 6.3.1 in IBM Tivoli Storage Manager for Mail and the (2) FlashCopy Manager for Exchange component 2.2 and 3.1 before 3.1.1 in IBM Tivoli Storage FlashCopy Manager do not properly constrain mailbox contents during certain PST restore operations, which allows remote authenticated users to read the personal e-mail of other users in opportunistic circumstances by launching an e-mail client after an administrator performs a multiple-mailbox restore."}, {"lang": "es", "value": "El (1) componente Data Protection para Exchange 6.1 anterior a 6.1.3.4 y 6.3 anterior a 6.3.1 en IBM Tivoli Storage Manager para Mail y el (2) componente FlashCopy Manager para Exchange 2.2 y 3.1 anterior a 3.1.1 en IBM Tivoli Storage FlashCopy Manager no limitan debidamente contenidos de buz\u00f3n durante ciertas operaciones de restablecer PST, lo que permite a usuarios remotos autenticados leer el email personal de otros usuarios en circunstancias oportunistas mediante el lanzamiento de un cliente de email despu\u00e9s de que un administrador realice un restablecimiento de m\u00faltiples buzones."}], "evaluatorImpact": "Per: http://www-01.ibm.com/support/docview.wss?uid=swg21644407\n\n\"AFFECTED PRODUCTS AND VERSIONS:\n\n Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 6.1 and 6.3\n Tivoli Storage FlashCopy Manager: FlashCopy Manager for Microsoft Exchange Sever 2.1, 2.2, and 3.1\"", "id": "CVE-2013-3976", "lastModified": "2017-08-29T01:33:30.590", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-03-26T10:55:05.117", "references": [{"source": "psirt@us.ibm.com", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IC81223"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644407"}, {"source": "psirt@us.ibm.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/84881"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}