Sign-up

ID

VAR-201702-0368


CVE

CVE-2016-3029


TITLE

IBM Security Access Manager Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2016-007248

DESCRIPTION

IBM Security Access Manager for Web is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. IBM Security Access Manager is a product applied to information security management of IBM Corporation in the United States. The product enables access management control through integrated appliances for web, mobile and cloud computing. An attacker could exploit this vulnerability to perform unauthorized operations. The following versions are affected: IBM Security Access Manager for Web version 8.0.0.0 to version 8.0.1.4, Security Access Manager for Mobile version 8.0.0.0 to version 8.0.1.4, Security Access Manager version 9.0 to version 9.0.1.0

Trust: 1.98

sources: NVD: CVE-2016-3029 // JVNDB: JVNDB-2016-007248 // BID: 96133 // VULHUB: VHN-91848

AFFECTED PRODUCTS

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.3

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.1

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.1.4

Trust: 1.6

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.1.3

Trust: 1.6

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.1.2

Trust: 1.6

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.5

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.2

Trust: 1.6

vendor:ibmmodel:security access manager 9.0scope:eqversion:9.0.0.1

Trust: 1.6

vendor:ibmmodel:security access manager 9.0scope:eqversion:9.0.0

Trust: 1.6

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.1.0

Trust: 1.6

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.1.2

Trust: 1.0

vendor:ibmmodel:security access manager 9.0scope:eqversion:9.0.1.0

Trust: 1.0

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.1.0

Trust: 1.0

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.3

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.2

Trust: 1.0

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.0.5

Trust: 1.0

vendor:ibmmodel:security access manager for mobile 8.0scope:eqversion:8.0.1.3

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.1

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.1.4

Trust: 1.0

vendor:ibmmodel:security access manager for mobile the appliancescope: - version: -

Trust: 0.8

vendor:ibmmodel:security access manager for mobile softwarescope:eqversion:8.0

Trust: 0.8

vendor:ibmmodel:security access manager for web the appliancescope: - version: -

Trust: 0.8

vendor:ibmmodel:security access manager for web softwarescope:eqversion:8.0

Trust: 0.8

vendor:ibmmodel:security access manager the appliancescope: - version: -

Trust: 0.8

vendor:ibmmodel:security access manager softwarescope:eqversion:9.0

Trust: 0.8

vendor:ibmmodel:security access manager for webscope:eqversion:8.03

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.02

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.1.4

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.1.3

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.1.2

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.1.1

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.1.0

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.0.5

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0.0.4

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.1

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.1.4

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.1.3

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.1.2

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.1.1

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.0.5

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.0.4

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.0.3

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.0.2

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.0.1

Trust: 0.3

vendor:ibmmodel:security access manager for mobilescope:eqversion:8.0.0.0

Trust: 0.3

vendor:ibmmodel:security access managerscope:eqversion:9.0.1.0

Trust: 0.3

vendor:ibmmodel:security access managerscope:eqversion:9.0.0.1

Trust: 0.3

vendor:ibmmodel:security access managerscope:eqversion:9.0

Trust: 0.3

sources: BID: 96133 // JVNDB: JVNDB-2016-007248 // CNNVD: CNNVD-201702-057 // NVD: CVE-2016-3029

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-3029
value: HIGH

Trust: 1.0

NVD: CVE-2016-3029
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201702-057
value: HIGH

Trust: 0.6

VULHUB: VHN-91848
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-3029
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-91848
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-3029
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-91848 // JVNDB: JVNDB-2016-007248 // CNNVD: CNNVD-201702-057 // NVD: CVE-2016-3029

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-91848 // JVNDB: JVNDB-2016-007248 // NVD: CVE-2016-3029

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-057

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201702-057

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-007248

PATCH
title:1995345url:http://www-01.ibm.com/support/docview.wss?uid=swg21995345
Trust: 0.8
title:IBM Security Access Manager Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=67443
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2016-007248 // 
            
            
            
            CNNVD: CNNVD-201702-057

EXTERNAL IDS
db:NVDid:CVE-2016-3029
Trust: 2.8
db:BIDid:96133
Trust: 2.0
db:JVNDBid:JVNDB-2016-007248
Trust: 0.8
db:CNNVDid:CNNVD-201702-057
Trust: 0.7
db:VULHUBid:VHN-91848
Trust: 0.1
sources:
            
            
            VULHUB: VHN-91848 // 
            
            
            
            BID: 96133 // 
            
            
            
            JVNDB: JVNDB-2016-007248 // 
            
            
            
            CNNVD: CNNVD-201702-057 // 
            
            
            
            NVD: CVE-2016-3029

REFERENCES
url:http://www.securityfocus.com/bid/96133
Trust: 1.7
url:http://www.ibm.com/support/docview.wss?uid=swg21995345
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-3029
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-3029
Trust: 0.8
url:http://www.ibm.com/
Trust: 0.3
url:http://www-01.ibm.com/support/docview.wss?uid=swg21995345
Trust: 0.3
sources:
            
            
            VULHUB: VHN-91848 // 
            
            
            
            BID: 96133 // 
            
            
            
            JVNDB: JVNDB-2016-007248 // 
            
            
            
            CNNVD: CNNVD-201702-057 // 
            
            
            
            NVD: CVE-2016-3029

CREDITS
IBM X-Force Ethical Hacking Team: Paul Ionescu, Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitryi Beryoza.
Trust: 0.3
sources:
            
            
            BID: 96133

SOURCES
db:VULHUBid:VHN-91848
db:BIDid:96133
db:JVNDBid:JVNDB-2016-007248
db:CNNVDid:CNNVD-201702-057
db:NVDid:CVE-2016-3029

LAST UPDATE DATE
2024-11-23T22:22:37.310000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-91848date:2020-10-27T00:00:00
db:BIDid:96133date:2017-03-07T02:02:00
db:JVNDBid:JVNDB-2016-007248date:2017-02-16T00:00:00
db:CNNVDid:CNNVD-201702-057date:2020-10-28T00:00:00
db:NVDid:CVE-2016-3029date:2024-11-21T02:49:13.543

SOURCES RELEASE DATE
db:VULHUBid:VHN-91848date:2017-02-01T00:00:00
db:BIDid:96133date:2016-12-14T00:00:00
db:JVNDBid:JVNDB-2016-007248date:2017-02-16T00:00:00
db:CNNVDid:CNNVD-201702-057date:2017-02-06T00:00:00
db:NVDid:CVE-2016-3029date:2017-02-01T20:59:00.677