CVE-2015-7818

The administration-panel web service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows local users to execute arbitrary JSP code with SYSTEM privileges by using the Apache Axis AdminService deployment method to install a .jsp file.

CVSS v2.0 7.2 HIGH

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.zerodayinitiative.com/advisories/ZDI-15-551/
https://support.lenovo.com/us/en/product_security/len_2015_074	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ibm:system_networking_switch_center:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:lenovo:switch_center:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2015-11-12 03:59

Updated : 2015-11-12 19:04

NVD link : CVE-2015-7818

Mitre link : CVE-2015-7818

CVE.ORG link : CVE-2015-7818

JSON object : View

Products Affected

lenovo

switch_center

ibm

system_networking_switch_center

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2015-7818", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-11-12T03:59:06.500", "references": [{"url": "http://www.zerodayinitiative.com/advisories/ZDI-15-551/", "source": "cve@mitre.org"}, {"url": "https://support.lenovo.com/us/en/product_security/len_2015_074", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The administration-panel web service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows local users to execute arbitrary JSP code with SYSTEM privileges by using the Apache Axis AdminService deployment method to install a .jsp file."}, {"lang": "es", "value": "El servicio web administration-panel en IBM System Networking Switch Center (SNSC) en versiones anteriores a 7.3.1.5 y Lenovo Switch Center en versiones anteriores a 8.1.2.0 permite a usuarios locales ejecutar c\u00f3digo JSP arbitrario con privilegios SYSTEM usando el m\u00e9todo de lanzamiento Apache Axis AdminService para instalar un archivo .jsp."}], "lastModified": "2015-11-12T19:04:48.440", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:system_networking_switch_center:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9F78E25E-A371-486B-A7A4-C82F806266ED", "versionEndIncluding": "7.3.1.4"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:switch_center:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B2AC6A9-DF5D-451C-83F6-BE2066527F30", "versionEndIncluding": "8.1.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}