cnvd - cnvd-2016-04305

cnvd-2016-04305

Vulnerability from cnvd

Title: 多款EMC产品权限绕过漏洞

Description:

EMC Documentum WebTop等都是美国易安信（EMC）公司的产品。EMC Documentum WebTop是一套允许用户在标准浏览器应用中访问Documentum存储库和内容管理服务的产品。Documentum Administrator是一套基于Web用来执行Documentum系统管理任务的开发工具。

多款EMC产品中存在权限绕过漏洞。远程攻击者可利用该漏洞借助IAPI/IDQL接口绕过既定的访问限制，执行任意IAPI/IDQL命令。

Severity: 中

Patch Name: 多款EMC产品权限绕过漏洞的补丁

Patch Description:

多款EMC产品中存在权限绕过漏洞。远程攻击者可利用该漏洞借助IAPI/IDQL接口绕过既定的访问限制，执行任意IAPI/IDQL命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已经发布了升级补丁以修复此安全问题，详情请关注厂商主页： http://www.emc.com/

Reference: http://seclists.org/bugtraq/2016/Jun/92

Impacted products

Name
['EMC Documentum WebTop Patch 6.8', 'EMC Documentum WebTop Patch 6.8.1', 'EMC Documentum Administrator 7.0', 'EMC Documentum Administrator 7.1', 'EMC Documentum Capital Projects 1.9', 'EMC Documentum Capital Projects 1.10', 'EMC Documentum Administrator 7.2', 'EMC Documentum Taskspace 6.7 SP3']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-0914"
    }
  },
  "description": "EMC Documentum WebTop\u7b49\u90fd\u662f\u7f8e\u56fd\u6613\u5b89\u4fe1\uff08EMC\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002EMC Documentum WebTop\u662f\u4e00\u5957\u5141\u8bb8\u7528\u6237\u5728\u6807\u51c6\u6d4f\u89c8\u5668\u5e94\u7528\u4e2d\u8bbf\u95eeDocumentum\u5b58\u50a8\u5e93\u548c\u5185\u5bb9\u7ba1\u7406\u670d\u52a1\u7684\u4ea7\u54c1\u3002Documentum Administrator\u662f\u4e00\u5957\u57fa\u4e8eWeb\u7528\u6765\u6267\u884cDocumentum\u7cfb\u7edf\u7ba1\u7406\u4efb\u52a1\u7684\u5f00\u53d1\u5de5\u5177\u3002\r\n\r\n\u591a\u6b3eEMC\u4ea7\u54c1\u4e2d\u5b58\u5728\u6743\u9650\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u501f\u52a9IAPI/IDQL\u63a5\u53e3\u7ed5\u8fc7\u65e2\u5b9a\u7684\u8bbf\u95ee\u9650\u5236\uff0c\u6267\u884c\u4efb\u610fIAPI/IDQL\u547d\u4ee4\u3002",
  "discovererName": "Security Alert",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttp://www.emc.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-04305",
  "openTime": "2016-06-24",
  "patchDescription": "EMC Documentum WebTop\u7b49\u90fd\u662f\u7f8e\u56fd\u6613\u5b89\u4fe1\uff08EMC\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002EMC Documentum WebTop\u662f\u4e00\u5957\u5141\u8bb8\u7528\u6237\u5728\u6807\u51c6\u6d4f\u89c8\u5668\u5e94\u7528\u4e2d\u8bbf\u95eeDocumentum\u5b58\u50a8\u5e93\u548c\u5185\u5bb9\u7ba1\u7406\u670d\u52a1\u7684\u4ea7\u54c1\u3002Documentum Administrator\u662f\u4e00\u5957\u57fa\u4e8eWeb\u7528\u6765\u6267\u884cDocumentum\u7cfb\u7edf\u7ba1\u7406\u4efb\u52a1\u7684\u5f00\u53d1\u5de5\u5177\u3002\r\n\r\n\u591a\u6b3eEMC\u4ea7\u54c1\u4e2d\u5b58\u5728\u6743\u9650\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u501f\u52a9IAPI/IDQL\u63a5\u53e3\u7ed5\u8fc7\u65e2\u5b9a\u7684\u8bbf\u95ee\u9650\u5236\uff0c\u6267\u884c\u4efb\u610fIAPI/IDQL\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eEMC\u4ea7\u54c1\u6743\u9650\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "EMC Documentum WebTop Patch 6.8",
      "EMC Documentum WebTop Patch 6.8.1",
      "EMC Documentum Administrator 7.0",
      "EMC Documentum Administrator 7.1",
      "EMC Documentum Capital Projects 1.9",
      "EMC Documentum Capital Projects 1.10",
      "EMC Documentum Administrator 7.2",
      "EMC Documentum Taskspace 6.7 SP3"
    ]
  },
  "referenceLink": "http://seclists.org/bugtraq/2016/Jun/92",
  "serverity": "\u4e2d",
  "submitTime": "2016-06-23",
  "title": "\u591a\u6b3eEMC\u4ea7\u54c1\u6743\u9650\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2016-0914 (GCVE-0-2016-0914)

Vulnerability from cvelistv5

Published

2016-06-23 00:00

Modified

2024-08-05 22:38

Severity ?

CWE

Summary

EMC Documentum WebTop 6.8 before Patch 13 and 6.8.1 before Patch 02, Documentum Administrator 7.x before 7.2 Patch 13, Documentum Capital Projects 1.9 before Patch 23 and 1.10 before Patch 10, and Documentum TaskSpace 6.7 SP3 allow remote authenticated users to bypass intended access restrictions and execute arbitrary IAPI/IDQL commands via the IAPI/IDQL interface.

References

▼	URL	Tags
	http://seclists.org/bugtraq/2016/Jun/92	mailing-list, x_refsource_BUGTRAQ
	http://www.securitytracker.com/id/1036153	vdb-entry, x_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:38:41.025Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20160622 ESA-2016-069: EMC Documentum WebTop and WebTop Clients Improper Authorization Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://seclists.org/bugtraq/2016/Jun/92"
          },
          {
            "name": "1036153",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1036153"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-06-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "EMC Documentum WebTop 6.8 before Patch 13 and 6.8.1 before Patch 02, Documentum Administrator 7.x before 7.2 Patch 13, Documentum Capital Projects 1.9 before Patch 23 and 1.10 before Patch 10, and Documentum TaskSpace 6.7 SP3 allow remote authenticated users to bypass intended access restrictions and execute arbitrary IAPI/IDQL commands via the IAPI/IDQL interface."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-01-09T16:57:01",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "name": "20160622 ESA-2016-069: EMC Documentum WebTop and WebTop Clients Improper Authorization Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://seclists.org/bugtraq/2016/Jun/92"
        },
        {
          "name": "1036153",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1036153"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security_alert@emc.com",
          "ID": "CVE-2016-0914",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "EMC Documentum WebTop 6.8 before Patch 13 and 6.8.1 before Patch 02, Documentum Administrator 7.x before 7.2 Patch 13, Documentum Capital Projects 1.9 before Patch 23 and 1.10 before Patch 10, and Documentum TaskSpace 6.7 SP3 allow remote authenticated users to bypass intended access restrictions and execute arbitrary IAPI/IDQL commands via the IAPI/IDQL interface."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20160622 ESA-2016-069: EMC Documentum WebTop and WebTop Clients Improper Authorization Vulnerability",
              "refsource": "BUGTRAQ",
              "url": "http://seclists.org/bugtraq/2016/Jun/92"
            },
            {
              "name": "1036153",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1036153"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2016-0914",
    "datePublished": "2016-06-23T00:00:00",
    "dateReserved": "2015-12-17T00:00:00",
    "dateUpdated": "2024-08-05T22:38:41.025Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted