cnvd - cnvd-2020-33086

cnvd-2020-33086

Vulnerability from cnvd

Title: IBM Spectrum Protect点击劫持漏洞

Description:

IBM Spectrum Protect（前称Tivoli Storage Manager）是美国IBM公司的一套数据保护平台。该平台为企业提供单一控制和管理点，并支持对所有规模的虚拟、物理和云环境进行备份和恢复。

IBM Spectrum Protect Client和IBM Spectrum Protect for Space Management中存在安全漏洞。远程攻击者可通过诱使用户访问恶意网站利用该漏洞劫持受害者的点击动作，并发起进一步的攻击。

Severity: 中

Patch Name: IBM Spectrum Protect点击劫持漏洞的补丁

Patch Description:

IBM Spectrum Protect Client和IBM Spectrum Protect for Space Management中存在安全漏洞。远程攻击者可通过诱使用户访问恶意网站利用该漏洞劫持受害者的点击动作，并发起进一步的攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.ibm.com/support/pages/node/6221448

Reference: https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-client-and-ibm-spectrum-protect-for-space-management-web-user-interface-vulnerable-to-authentication-bypass-and-clickjacking-cve-2020-4494-cve-2020-4406/

Impacted products

Name
['IBM Spectrum Protect Client(Linux and Windows) >=8.1.7.0，<=8.1.9.1', 'IBM Spectrum Protect Client(AIX) >=8.1.9.0，<=8.1.9.1', 'IBM Spectrum Protect for Space Management(AIX) >=8.1.9.0，<=8.1.9.1', 'IBM Spectrum Protect for Space Management (Linux) >=8.1.7.0，<=8.1.9.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-4406"
    }
  },
  "description": "IBM Spectrum Protect\uff08\u524d\u79f0Tivoli Storage Manager\uff09\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u6570\u636e\u4fdd\u62a4\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3a\u4f01\u4e1a\u63d0\u4f9b\u5355\u4e00\u63a7\u5236\u548c\u7ba1\u7406\u70b9\uff0c\u5e76\u652f\u6301\u5bf9\u6240\u6709\u89c4\u6a21\u7684\u865a\u62df\u3001\u7269\u7406\u548c\u4e91\u73af\u5883\u8fdb\u884c\u5907\u4efd\u548c\u6062\u590d\u3002\n\nIBM Spectrum Protect Client\u548cIBM Spectrum Protect for Space Management\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u8bbf\u95ee\u6076\u610f\u7f51\u7ad9\u5229\u7528\u8be5\u6f0f\u6d1e\u52ab\u6301\u53d7\u5bb3\u8005\u7684\u70b9\u51fb\u52a8\u4f5c\uff0c\u5e76\u53d1\u8d77\u8fdb\u4e00\u6b65\u7684\u653b\u51fb\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.ibm.com/support/pages/node/6221448",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-33086",
  "openTime": "2020-06-16",
  "patchDescription": "IBM Spectrum Protect\uff08\u524d\u79f0Tivoli Storage Manager\uff09\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u6570\u636e\u4fdd\u62a4\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3a\u4f01\u4e1a\u63d0\u4f9b\u5355\u4e00\u63a7\u5236\u548c\u7ba1\u7406\u70b9\uff0c\u5e76\u652f\u6301\u5bf9\u6240\u6709\u89c4\u6a21\u7684\u865a\u62df\u3001\u7269\u7406\u548c\u4e91\u73af\u5883\u8fdb\u884c\u5907\u4efd\u548c\u6062\u590d\u3002\r\n\r\nIBM Spectrum Protect Client\u548cIBM Spectrum Protect for Space Management\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u8bbf\u95ee\u6076\u610f\u7f51\u7ad9\u5229\u7528\u8be5\u6f0f\u6d1e\u52ab\u6301\u53d7\u5bb3\u8005\u7684\u70b9\u51fb\u52a8\u4f5c\uff0c\u5e76\u53d1\u8d77\u8fdb\u4e00\u6b65\u7684\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Spectrum Protect\u70b9\u51fb\u52ab\u6301\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM Spectrum Protect Client(Linux and Windows) \u003e=8.1.7.0\uff0c\u003c=8.1.9.1",
      "IBM Spectrum Protect Client(AIX) \u003e=8.1.9.0\uff0c\u003c=8.1.9.1",
      "IBM  Spectrum Protect for Space Management(AIX)  \u003e=8.1.9.0\uff0c\u003c=8.1.9.1",
      "IBM Spectrum Protect for Space Management (Linux) \u003e=8.1.7.0\uff0c\u003c=8.1.9.1"
    ]
  },
  "referenceLink": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-client-and-ibm-spectrum-protect-for-space-management-web-user-interface-vulnerable-to-authentication-bypass-and-clickjacking-cve-2020-4494-cve-2020-4406/",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-15",
  "title": "IBM Spectrum Protect\u70b9\u51fb\u52ab\u6301\u6f0f\u6d1e"
}

CVE-2020-4406 (GCVE-0-2020-4406)

Vulnerability from cvelistv5

Published

2020-06-15 13:25

Modified

2024-09-17 00:15

Severity ?

5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

Gain Access

Summary

IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows), 8.1.9.0 trough 8.1.9.1 (AIX) and IBM Spectrum Protect for Space Management 8.1.7.0 through 8.1.9.1 (Linux), 8.1.9.0 through 8.1.9.1 (AIX) web user interfaces could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 179488.

References

▼	URL	Tags
	https://www.ibm.com/support/pages/node/6221448	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilities/179488	vdb-entry, x_refsource_XF

Impacted products

Vendor

Product

Version

▼

IBM

Spectrum Protect Client (Linux and Windows)

Version: 8.1.7.0
Version: 8.1.9.1

IBM	Spectrum Protect Client (AIX)	Version: 8.1.9.0 Version: 8.1.9.1
IBM	Spectrum Protect for Space Management (AIX)	Version: 8.1.9.0 Version: 8.1.9.1
IBM	Spectrum Protect for Space Management (Linux)	Version: 8.1.7.0 Version: 8.1.9.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:00:06.943Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/6221448"
          },
          {
            "name": "ibm-spectrum-cve20204406-clickjacking (179488)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/179488"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Spectrum Protect Client (Linux and Windows)",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "8.1.7.0"
            },
            {
              "status": "affected",
              "version": "8.1.9.1"
            }
          ]
        },
        {
          "product": "Spectrum Protect Client (AIX)",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "8.1.9.0"
            },
            {
              "status": "affected",
              "version": "8.1.9.1"
            }
          ]
        },
        {
          "product": "Spectrum Protect for Space Management (AIX)",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "8.1.9.0"
            },
            {
              "status": "affected",
              "version": "8.1.9.1"
            }
          ]
        },
        {
          "product": "Spectrum Protect for Space Management (Linux)",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "8.1.7.0"
            },
            {
              "status": "affected",
              "version": "8.1.9.1"
            }
          ]
        }
      ],
      "datePublic": "2020-06-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows), 8.1.9.0 trough 8.1.9.1 (AIX) and IBM Spectrum Protect for Space Management 8.1.7.0 through 8.1.9.1 (Linux), 8.1.9.0 through 8.1.9.1 (AIX) web user interfaces could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim\u0027s click actions and possibly launch further attacks against the victim. IBM X-Force ID: 179488."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "CHANGED",
            "temporalScore": 4.7,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/C:L/PR:L/AC:L/UI:R/S:C/A:N/I:L/E:U/RC:C/RL:O",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Gain Access",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-15T13:25:25",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.ibm.com/support/pages/node/6221448"
        },
        {
          "name": "ibm-spectrum-cve20204406-clickjacking (179488)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/179488"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "DATE_PUBLIC": "2020-06-12T00:00:00",
          "ID": "CVE-2020-4406",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Spectrum Protect Client (Linux and Windows)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "8.1.7.0"
                          },
                          {
                            "version_value": "8.1.9.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Spectrum Protect Client (AIX)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "8.1.9.0"
                          },
                          {
                            "version_value": "8.1.9.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Spectrum Protect for Space Management (AIX)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "8.1.9.0"
                          },
                          {
                            "version_value": "8.1.9.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Spectrum Protect for Space Management (Linux)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "8.1.7.0"
                          },
                          {
                            "version_value": "8.1.9.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IBM"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows), 8.1.9.0 trough 8.1.9.1 (AIX) and IBM Spectrum Protect for Space Management 8.1.7.0 through 8.1.9.1 (Linux), 8.1.9.0 through 8.1.9.1 (AIX) web user interfaces could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim\u0027s click actions and possibly launch further attacks against the victim. IBM X-Force ID: 179488."
            }
          ]
        },
        "impact": {
          "cvssv3": {
            "BM": {
              "A": "N",
              "AC": "L",
              "AV": "N",
              "C": "L",
              "I": "L",
              "PR": "L",
              "S": "C",
              "UI": "R"
            },
            "TM": {
              "E": "U",
              "RC": "C",
              "RL": "O"
            }
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Gain Access"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ibm.com/support/pages/node/6221448",
              "refsource": "CONFIRM",
              "title": "IBM Security Bulletin 6221448 (Spectrum Protect Client (Linux and Windows))",
              "url": "https://www.ibm.com/support/pages/node/6221448"
            },
            {
              "name": "ibm-spectrum-cve20204406-clickjacking (179488)",
              "refsource": "XF",
              "title": "X-Force Vulnerability Report",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/179488"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2020-4406",
    "datePublished": "2020-06-15T13:25:25.338254Z",
    "dateReserved": "2019-12-30T00:00:00",
    "dateUpdated": "2024-09-17T00:15:44.616Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted