CVE-2011-0489

The server components in Objectivity/DB 10.0 do not require authentication for administrative commands, which allows remote attackers to modify data, obtain sensitive information, or cause a denial of service by sending requests over TCP to (1) the Lock Server or (2) the Advanced Multithreaded Server, as demonstrated by commands that are ordinarily sent by the (a) ookillls and (b) oostopams applications. NOTE: some of these details are obtained from third party information.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/45803
http://www.kb.cert.org/vuls/id/782567	US Government Resource
http://secunia.com/advisories/42901	Vendor Advisory
http://www.exploit-db.com/exploits/15988	Exploit
http://osvdb.org/70424
http://www.vupen.com/english/advisories/2011/0127	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/64699

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:objectivity:objectivity\/db:10.0:*:*:*:*:*:*:*

Information

Published : 2011-01-18 10:03

Updated : 2017-08-16 18:33

NVD link : CVE-2011-0489

Mitre link : CVE-2011-0489

JSON object : View

CWE

CWE-287

Improper Authentication

Advertisement

Products Affected

objectivity

objectivity\/db

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/45803", "name": "45803", "tags": [], "refsource": "BID"}, {"url": "http://www.kb.cert.org/vuls/id/782567", "name": "VU#782567", "tags": ["US Government Resource"], "refsource": "CERT-VN"}, {"url": "http://secunia.com/advisories/42901", "name": "42901", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.exploit-db.com/exploits/15988", "name": "15988", "tags": ["Exploit"], "refsource": "EXPLOIT-DB"}, {"url": "http://osvdb.org/70424", "name": "70424", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.vupen.com/english/advisories/2011/0127", "name": "ADV-2011-0127", "tags": ["Vendor Advisory"], "refsource": "VUPEN"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64699", "name": "objectivity-operations-sec-bypass(64699)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The server components in Objectivity/DB 10.0 do not require authentication for administrative commands, which allows remote attackers to modify data, obtain sensitive information, or cause a denial of service by sending requests over TCP to (1) the Lock Server or (2) the Advanced Multithreaded Server, as demonstrated by commands that are ordinarily sent by the (a) ookillls and (b) oostopams applications. NOTE: some of these details are obtained from third party information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-287"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2011-0489", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2011-01-18T18:03Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:objectivity:objectivity\\/db:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-17T01:33Z"}