CVE-2019-4138 - OpenCVE

IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 158334.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Spectrum Control

Configuration 1 [-]

OR	cpe:2.3:a:ibm:spectrum_control::::::::
	cpe:2.3:a:ibm:spectrum_control::::::::

No data.

References

Link	Providers
http://www.ibm.com/support/docview.wss?uid=ibm10880375
http://www.securityfocus.com/bid/108533
https://exchange.xforce.ibmcloud.com/vulnerabilities/158334

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2019-05-29T15:10:24.210573Z

Updated: 2024-09-16T23:45:37.130Z

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-4138

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-05-29T15:29:00.547

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-4138

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Spectrum Control Standard Edition", "vendor": "IBM", "versions": [{"status": "affected", "version": "5.2.13"}, {"status": "affected", "version": "5.2.14"}, {"status": "affected", "version": "5.2.15"}, {"status": "affected", "version": "5.2.16"}, {"status": "affected", "version": "5.2.15.2"}, {"status": "affected", "version": "5.2.17.0"}, {"status": "affected", "version": "5.2.17.1"}, {"status": "affected", "version": "5.2.17.2"}, {"status": "affected", "version": "5.3.0.1"}, {"status": "affected", "version": "5.3.15.3.2"}]}], "datePublic": "2019-05-23T00:00:00", "descriptions": [{"lang": "en", "value": "IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 158334."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "NONE", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 5.2, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/S:U/UI:N/C:H/A:N/I:N/AC:H/PR:N/AV:N/E:U/RC:C/RL:O", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Obtain Information", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-03T06:06:02", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.ibm.com/support/docview.wss?uid=ibm10880375"}, {"name": "ibm-tivoli-cve20194138-info-disc (158334)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158334"}, {"name": "108533", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108533"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2019-05-23T00:00:00", "ID": "CVE-2019-4138", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spectrum Control Standard Edition", "version": {"version_data": [{"version_value": "5.2.13"}, {"version_value": "5.2.14"}, {"version_value": "5.2.15"}, {"version_value": "5.2.16"}, {"version_value": "5.2.15.2"}, {"version_value": "5.2.17.0"}, {"version_value": "5.2.17.1"}, {"version_value": "5.2.17.2"}, {"version_value": "5.3.0.1"}, {"version_value": "5.3.15.3.2"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 158334."}]}, "impact": {"cvssv3": {"BM": {"A": "N", "AC": "H", "AV": "N", "C": "H", "I": "N", "PR": "N", "S": "U", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Obtain Information"}]}]}, "references": {"reference_data": [{"name": "http://www.ibm.com/support/docview.wss?uid=ibm10880375", "refsource": "CONFIRM", "title": "IBM Security Bulletin 880375 (Spectrum Control Standard Edition)", "url": "http://www.ibm.com/support/docview.wss?uid=ibm10880375"}, {"name": "ibm-tivoli-cve20194138-info-disc (158334)", "refsource": "XF", "title": "X-Force Vulnerability Report", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158334"}, {"name": "108533", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108533"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:26:27.937Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.ibm.com/support/docview.wss?uid=ibm10880375"}, {"name": "ibm-tivoli-cve20194138-info-disc (158334)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158334"}, {"name": "108533", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/108533"}]}]}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2019-4138", "datePublished": "2019-05-29T15:10:24.210573Z", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2024-09-16T23:45:37.130Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:spectrum_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "F33A9327-DBF9-4DC7-B08C-F44F16057171", "versionEndIncluding": "5.2.17.2", "versionStartIncluding": "5.2.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:spectrum_control:*:*:*:*:*:*:*:*", "matchCriteriaId": "4F331B27-A478-4D4A-89C0-13DBF01B20A5", "versionEndIncluding": "5.3.2.0", "versionStartIncluding": "5.3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Tivoli Storage Productivity Center 5.2.13 through 5.3.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 158334."}, {"lang": "es", "value": "IBM Tivoli Storage Productivity Center versi\u00f3n 5.2.13 hasta 5.3.0.1, podr\u00eda permitir a un atacante remoto conseguir informaci\u00f3n confidencial, generada por el hecho de no habilitar apropiadamente HTTP Strict Transport Security. Un atacante podr\u00eda aprovechar esta vulnerabilidad para conseguir informaci\u00f3n confidencial utilizando t\u00e9cnicas de tipo \"man in the middle\". X-Force ID: 158334."}], "id": "CVE-2019-4138", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Secondary"}]}, "published": "2019-05-29T15:29:00.547", "references": [{"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.ibm.com/support/docview.wss?uid=ibm10880375"}, {"source": "psirt@us.ibm.com", "url": "http://www.securityfocus.com/bid/108533"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory", "VDB Entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158334"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}