CVE-2017-1631漏洞详情 - SCAP中文社区

CVE-2017-1631

CVSS

6.8

发布时间 :2017-12-20 13:29:01

修订时间 :2018-01-05 15:07:50

NMS

[原文]IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 133140.

[CNNVD]CNNVD数据暂缺。

[机译]译文暂缺.

NVD
SecurityFocus

- CVSS (基础分值)

CVSS分值:	6.8	[中等(MEDIUM)]
机密性影响:	PARTIAL	[很可能造成信息泄露]
完整性影响:	PARTIAL	[可能会导致系统文件被修改]
可用性影响:	PARTIAL	[可能会导致性能下降或中断资源访问]
攻击复杂度:	MEDIUM	[漏洞利用存在一定的访问条件]
攻击向量:	NETWORK	[攻击者不需要获取内网访问权或本地访问权]
身份认证:	NONE	[漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-352

[跨站请求伪造（CSRF）]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1631
(官方数据源) MITRE

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1631
(官方数据源) NVD

- 其它链接及资源

http://www.ibm.com/support/docview.wss?uid=swg22011307
(VENDOR_ADVISORY) CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22011307

https://exchange.xforce.ibmcloud.com/vulnerabilities/133140
(VENDOR_ADVISORY) MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/133140

- 漏洞信息

漏洞名称:IBM Jazz for Service Management CVE-2017-1631 Cross Site Request Forgery Vulnerability
漏洞分类: Input Validation Error	BugtraqID: 102294
远程溢出:Yes	本地溢出:No
发布日期:2017-12-05 12:00:00	更新日期:2017-12-05 12:00:00
漏洞作者: IBM

- 受影响的程序版本

IBM Jazz for Service Management 1.1.3

- 漏洞讨论

IBM Jazz for Service Management is prone to a cross-site request forgery vulnerability because it fails to properly validate HTTP requests.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.

IBM Jazz for Service Management 1.1.3 is vulnerable; other versions may also be affected.

- 漏洞利用

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

CVE数据库

检索CVE

关于CVE

CVE资源

Wise Words

人生的价值，并不是用时间，而是用深度去衡量的。

-- 列夫·托尔斯泰

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息，请查阅[关于本站]。

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标，它们的官方数据源均保存在MITRE公司的相关网站。

CVE 通用漏洞与披露Common Vulnerabilities and Exposures