cnvd - cnvd-2020-04413

cnvd-2020-04413

Vulnerability from cnvd

Title: IBM Security Directory Server信息泄露漏洞（CNVD-2020-04413）

Description:

IBM Security Directory Server是美国IBM公司的一套使用了轻量级目录访问协议（LDAP）的企业身份管理软件。该软件提供一个可信的身份数据基础架构，用于身份验证。

IBM Security Directory Server 6.4.0版本，在URL中保存敏感信息，通过服务器日志、引用标头、浏览纪录访问URL，攻击者可未授权获取敏感信息。

Severity: 低

Patch Name: IBM Security Directory Server信息泄露漏洞（CNVD-2020-04413）的补丁

Patch Description:

IBM Security Directory Server 6.4.0版本，在URL中保存敏感信息，通过服务器日志、引用标头、浏览纪录访问URL，攻击者可未授权获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.ibm.com/support/pages/node/1288660

Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-4562

Impacted products

Name
IBM IBM Security Directory Server 6.4.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-4562",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-4562"
    }
  },
  "description": "IBM Security Directory Server\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u4f7f\u7528\u4e86\u8f7b\u91cf\u7ea7\u76ee\u5f55\u8bbf\u95ee\u534f\u8bae\uff08LDAP\uff09\u7684\u4f01\u4e1a\u8eab\u4efd\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u4e00\u4e2a\u53ef\u4fe1\u7684\u8eab\u4efd\u6570\u636e\u57fa\u7840\u67b6\u6784\uff0c\u7528\u4e8e\u8eab\u4efd\u9a8c\u8bc1\u3002\n\nIBM Security Directory Server 6.4.0\u7248\u672c\uff0c\u5728URL\u4e2d\u4fdd\u5b58\u654f\u611f\u4fe1\u606f\uff0c\u901a\u8fc7\u670d\u52a1\u5668\u65e5\u5fd7\u3001\u5f15\u7528\u6807\u5934\u3001\u6d4f\u89c8\u7eaa\u5f55\u8bbf\u95eeURL\uff0c\u653b\u51fb\u8005\u53ef\u672a\u6388\u6743\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.ibm.com/support/pages/node/1288660",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-04413",
  "openTime": "2020-02-10",
  "patchDescription": "IBM Security Directory Server\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u4f7f\u7528\u4e86\u8f7b\u91cf\u7ea7\u76ee\u5f55\u8bbf\u95ee\u534f\u8bae\uff08LDAP\uff09\u7684\u4f01\u4e1a\u8eab\u4efd\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u4e00\u4e2a\u53ef\u4fe1\u7684\u8eab\u4efd\u6570\u636e\u57fa\u7840\u67b6\u6784\uff0c\u7528\u4e8e\u8eab\u4efd\u9a8c\u8bc1\u3002\r\n\r\nIBM Security Directory Server 6.4.0\u7248\u672c\uff0c\u5728URL\u4e2d\u4fdd\u5b58\u654f\u611f\u4fe1\u606f\uff0c\u901a\u8fc7\u670d\u52a1\u5668\u65e5\u5fd7\u3001\u5f15\u7528\u6807\u5934\u3001\u6d4f\u89c8\u7eaa\u5f55\u8bbf\u95eeURL\uff0c\u653b\u51fb\u8005\u53ef\u672a\u6388\u6743\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Security Directory Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2020-04413\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "IBM IBM Security Directory Server 6.4.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-4562",
  "serverity": "\u4f4e",
  "submitTime": "2020-02-05",
  "title": "IBM Security Directory Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2020-04413\uff09"
}

CVE-2019-4562 (GCVE-0-2019-4562)

Vulnerability from cvelistv5

Published

2020-02-04 16:45

Modified

2024-09-16 16:14

Severity ?

3.7 (Low) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CWE

Obtain Information

Summary

IBM Security Directory Server 6.4.0 stores sensitive information in URLs. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referer header or browser history. IBM X-Force ID: 166623.

References

▼	URL	Tags
	https://www.ibm.com/support/pages/node/1288660	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilities/166623	vdb-entry, x_refsource_XF

Impacted products

	Vendor	Product	Version
	IBM	Security Directory Server	Version: 6.4.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:40:48.248Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/1288660"
          },
          {
            "name": "ibm-sds-cve20194562-info-disc (166623)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/166623"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Security Directory Server",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "6.4.0"
            }
          ]
        }
      ],
      "datePublic": "2020-02-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM Security Directory Server 6.4.0 stores sensitive information in URLs. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referer header or browser history. IBM X-Force ID: 166623."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 3.2,
            "temporalSeverity": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/C:L/UI:N/PR:N/S:U/AV:N/AC:H/I:N/A:N/E:U/RC:C/RL:O",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Obtain Information",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-04T16:45:36",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.ibm.com/support/pages/node/1288660"
        },
        {
          "name": "ibm-sds-cve20194562-info-disc (166623)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/166623"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "DATE_PUBLIC": "2020-02-03T00:00:00",
          "ID": "CVE-2019-4562",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Security Directory Server",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.4.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IBM"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM Security Directory Server 6.4.0 stores sensitive information in URLs. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referer header or browser history. IBM X-Force ID: 166623."
            }
          ]
        },
        "impact": {
          "cvssv3": {
            "BM": {
              "A": "N",
              "AC": "H",
              "AV": "N",
              "C": "L",
              "I": "N",
              "PR": "N",
              "S": "U",
              "UI": "N"
            },
            "TM": {
              "E": "U",
              "RC": "C",
              "RL": "O"
            }
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Obtain Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ibm.com/support/pages/node/1288660",
              "refsource": "CONFIRM",
              "title": "IBM Security Bulletin 1288660 (Security Directory Server)",
              "url": "https://www.ibm.com/support/pages/node/1288660"
            },
            {
              "name": "ibm-sds-cve20194562-info-disc (166623)",
              "refsource": "XF",
              "title": "X-Force Vulnerability Report",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/166623"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2019-4562",
    "datePublished": "2020-02-04T16:45:36.794608Z",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-09-16T16:14:16.596Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted