Details of VAR-201406-0164

ID

VAR-201406-0164

CVE

CVE-2014-4188

TITLE

Multiple Vulnerabilities in Hitachi Tuning Manager and JP1/Performance Management - Manager Web Option

Trust: 0.8

sources: JVNDB: JVNDB-2014-002800

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in Hitachi Tuning Manager before 7.6.1-06 and 8.x before 8.0.0-04 and JP1/Performance Management - Manager Web Option 07-00 through 07-54 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. These vulnerabilities can not be exploited, unless logging in these products.A remote attackers could insert to malicious scripts during display of the web page. Hitachi Tuning Manager (HTnM) software is a storage performance management application that maps, monitors, and analyzes storage network resources from applications to storage devices. A remote attacker can use the vulnerability to construct a malicious URI, induce users to parse, obtain sensitive cookies, hijack sessions or perform malicious operations on the client. 2. Allow remote attackers to construct malicious URIs to induce users to parse and perform malicious operations on the target user context. An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, disclose or modify sensitive information, or perform unauthorized actions. Other attacks are also possible

Trust: 2.43

sources: NVD: CVE-2014-4188 // JVNDB: JVNDB-2014-002800 // CNVD: CNVD-2014-03739 // BID: 68015

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-03739

AFFECTED PRODUCTS

vendor:	hitachi	model:	tuning manager	scope:	eq	version:	7.1.0	Trust: 1.6
vendor:	hitachi	model:	tuning manager	scope:	eq	version:	6.0.0	Trust: 1.6
vendor:	hitachi	model:	jp1\/performance management-manager web option	scope:	eq	version:	07-54	Trust: 1.6
vendor:	hitachi	model:	tuning manager	scope:	eq	version:	7.6.1	Trust: 1.6
vendor:	hitachi	model:	tuning manager	scope:	eq	version:	8.0.0	Trust: 1.6
vendor:	hitachi	model:	jp1\/performance management-manager web option	scope:	eq	version:	07-00	Trust: 1.0
vendor:	hitachi	model:	tuning manager	scope:	-	version:	-	Trust: 0.8
vendor:	hitachi	model:	jp1/performance management	scope:	eq	version:	- manager web option	Trust: 0.8
vendor:	hitachi	model:	jp1/performance management	scope:	-	version:	-	Trust: 0.6
vendor:	hitachi	model:	tuning manager software	scope:	eq	version:	7.001	Trust: 0.3
vendor:	hitachi	model:	tuning manager software	scope:	eq	version:	7.0	Trust: 0.3
vendor:	hitachi	model:	tuning manager software	scope:	eq	version:	6.402	Trust: 0.3
vendor:	hitachi	model:	tuning manager software	scope:	eq	version:	6.401	Trust: 0.3
vendor:	hitachi	model:	tuning manager software	scope:	eq	version:	6.2-01	Trust: 0.3
vendor:	hitachi	model:	tuning manager software	scope:	eq	version:	6.2-00	Trust: 0.3
vendor:	hitachi	model:	tuning manager software	scope:	eq	version:	6.1-00	Trust: 0.3
vendor:	hitachi	model:	tuning manager software	scope:	eq	version:	6.0	Trust: 0.3
vendor:	hitachi	model:	tuning manager software	scope:	eq	version:	7.1.0-00	Trust: 0.3
vendor:	hitachi	model:	tuning manager software	scope:	eq	version:	6.4.0-03	Trust: 0.3

sources: CNVD: CNVD-2014-03739 // BID: 68015 // JVNDB: JVNDB-2014-002800 // CNNVD: CNNVD-201406-354 // NVD: CVE-2014-4188

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-4188
value:	MEDIUM
Trust: 1.0
VENDOR:	JVNDB-2014-002800
value:	LOW
Trust: 0.8
CNVD:	CNVD-2014-03739
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201406-354
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2014-4188
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VENDOR:	JVNDB-2014-002800
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2014-03739
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2014-03739 // JVNDB: JVNDB-2014-002800 // CNNVD: CNNVD-201406-354 // NVD: CVE-2014-4188

PROBLEMTYPE DATA

problemtype:	CWE-352	Trust: 1.8
problemtype:	CWE-79	Trust: 0.8

sources: JVNDB: JVNDB-2014-002800 // NVD: CVE-2014-4188

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-354

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201406-354

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002800

PATCH

title:	HS14-013	url:	http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-013/index.html	Trust: 0.8
title:	Patch for Hitachi Tuning Manager / JP1 / Performance Management Multiple Vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/46503	Trust: 0.6

sources: CNVD: CNVD-2014-03739 // JVNDB: JVNDB-2014-002800

EXTERNAL IDS

db:	NVD	id:	CVE-2014-4188	Trust: 3.3
db:	HITACHI	id:	HS14-013	Trust: 2.2
db:	BID	id:	68015	Trust: 1.9
db:	SECUNIA	id:	58899	Trust: 1.6
db:	SECUNIA	id:	58528	Trust: 1.6
db:	JVNDB	id:	JVNDB-2014-002800	Trust: 0.8
db:	CNVD	id:	CNVD-2014-03739	Trust: 0.6
db:	CNNVD	id:	CNNVD-201406-354	Trust: 0.6

sources: CNVD: CNVD-2014-03739 // BID: 68015 // JVNDB: JVNDB-2014-002800 // CNNVD: CNNVD-201406-354 // NVD: CVE-2014-4188

REFERENCES

url:	http://www.hitachi.co.jp/prod/comp/soft1/global/security/info/vuls/hs14-013/index.html	Trust: 2.2
url:	http://secunia.com/advisories/58899	Trust: 1.6
url:	http://secunia.com/advisories/58528	Trust: 1.6
url:	http://www.securityfocus.com/bid/68015	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4188	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4189	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4188	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4189	Trust: 0.8
url:	http://www.hds.com/products/storage-software/hitachi-tuning-manager.html	Trust: 0.3

sources: CNVD: CNVD-2014-03739 // BID: 68015 // JVNDB: JVNDB-2014-002800 // CNNVD: CNNVD-201406-354 // NVD: CVE-2014-4188

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 68015

SOURCES

db:	CNVD	id:	CNVD-2014-03739
db:	BID	id:	68015
db:	JVNDB	id:	JVNDB-2014-002800
db:	CNNVD	id:	CNNVD-201406-354
db:	NVD	id:	CVE-2014-4188

LAST UPDATE DATE

2024-08-14T14:21:06.825000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-03739	date:	2014-06-19T00:00:00
db:	BID	id:	68015	date:	2014-08-06T00:31:00
db:	JVNDB	id:	JVNDB-2014-002800	date:	2015-03-03T00:00:00
db:	CNNVD	id:	CNNVD-201406-354	date:	2014-06-18T00:00:00
db:	NVD	id:	CVE-2014-4188	date:	2015-09-02T17:04:20.887

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-03739	date:	2014-06-19T00:00:00
db:	BID	id:	68015	date:	2014-06-10T00:00:00
db:	JVNDB	id:	JVNDB-2014-002800	date:	2014-06-12T00:00:00
db:	CNNVD	id:	CNNVD-201406-354	date:	2014-06-18T00:00:00
db:	NVD	id:	CVE-2014-4188	date:	2014-06-17T14:55:08.517