CVE-2020-4955 - OpenCVE

IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote attacker to execute arbitrary code on the system, caused by improper parameter validation. By creating an unspecified servlet request with specially crafted input parameters, an attacker could exploit this vulnerability to load a malicious .dll with elevated privileges. IBM X-Force ID: 192155.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Spectrum Protect Operations Center

Configuration 1 [-]

OR	cpe:2.3:a:ibm:spectrum_protect_operations_center::::::::
	cpe:2.3:a:ibm:spectrum_protect_operations_center::::::::

No data.

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/192155
https://www.ibm.com/support/pages/node/6404966

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2021-02-15T15:05:20.081987Z

Updated: 2024-09-17T02:31:23.322Z

Reserved: 2019-12-30T00:00:00

Link: CVE-2020-4955

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-02-15T15:15:13.667

Modified: 2021-02-17T18:32:28.383

Link: CVE-2020-4955

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Spectrum Protect Operations Center", "vendor": "IBM", "versions": [{"status": "affected", "version": "8.1"}, {"status": "affected", "version": "7.1"}, {"status": "affected", "version": "8.1.10.100"}, {"status": "affected", "version": "7.1.12"}]}], "datePublic": "2021-02-12T00:00:00", "descriptions": [{"lang": "en", "value": "IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote attacker to execute arbitrary code on the system, caused by improper parameter validation. By creating an unspecified servlet request with specially crafted input parameters, an attacker could exploit this vulnerability to load a malicious .dll with elevated privileges. IBM X-Force ID: 192155."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "CHANGED", "temporalScore": 7, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.0/C:H/S:C/A:H/AC:H/PR:L/UI:N/AV:A/I:H/E:U/RL:O/RC:C", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Gain Privileges", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-15T15:06:11", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/pages/node/6404966"}, {"name": "ibm-spectrum-cve20204955-code-exec (192155)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192155"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2021-02-12T00:00:00", "ID": "CVE-2020-4955", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spectrum Protect Operations Center", "version": {"version_data": [{"version_value": "8.1"}, {"version_value": "7.1"}, {"version_value": "8.1.10.100"}, {"version_value": "7.1.12"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote attacker to execute arbitrary code on the system, caused by improper parameter validation. By creating an unspecified servlet request with specially crafted input parameters, an attacker could exploit this vulnerability to load a malicious .dll with elevated privileges. IBM X-Force ID: 192155."}]}, "impact": {"cvssv3": {"BM": {"A": "H", "AC": "H", "AV": "A", "C": "H", "I": "H", "PR": "L", "S": "C", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Gain Privileges"}]}]}, "references": {"reference_data": [{"name": "https://www.ibm.com/support/pages/node/6404966", "refsource": "CONFIRM", "title": "IBM Security Bulletin 6404966 (Spectrum Protect Operations Center)", "url": "https://www.ibm.com/support/pages/node/6404966"}, {"name": "ibm-spectrum-cve20204955-code-exec (192155)", "refsource": "XF", "title": "X-Force Vulnerability Report", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192155"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:14:59.283Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.ibm.com/support/pages/node/6404966"}, {"name": "ibm-spectrum-cve20204955-code-exec (192155)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192155"}]}]}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2020-4955", "datePublished": "2021-02-15T15:05:20.081987Z", "dateReserved": "2019-12-30T00:00:00", "dateUpdated": "2024-09-17T02:31:23.322Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:spectrum_protect_operations_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "BDA5A26F-E555-4401-8A74-C693D96BE215", "versionEndExcluding": "7.1.13.000", "versionStartIncluding": "7.1.0.000", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:spectrum_protect_operations_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "74404BEF-3CD4-4731-A9E2-4A4A913B82ED", "versionEndExcluding": "8.1.10.200", "versionStartIncluding": "8.1.0.000", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote attacker to execute arbitrary code on the system, caused by improper parameter validation. By creating an unspecified servlet request with specially crafted input parameters, an attacker could exploit this vulnerability to load a malicious .dll with elevated privileges. IBM X-Force ID: 192155."}, {"lang": "es", "value": "IBM Spectrum Protect Operations Center versiones 7.1 y 8.1, podr\u00eda permitir a un atacante remoto ejecutar c\u00f3digo arbitrario en el sistema, causado por una comprobaci\u00f3n inapropiada de par\u00e1metros. Al crear una petici\u00f3n de servlet no especificada con par\u00e1metros de entrada especialmente dise\u00f1ados, un atacante podr\u00eda explotar esta vulnerabilidad para cargar un archivo .dll malicioso con privilegios elevados. IBM X-Force ID: 192155"}], "id": "CVE-2020-4955", "lastModified": "2021-02-17T18:32:28.383", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.2, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "psirt@us.ibm.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-15T15:15:13.667", "references": [{"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192155"}, {"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/6404966"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}