CVE-2023-49877

IBM System Storage Virtualization Engine TS7700 3957-VEC, 3948-VED and 3957-VEC could allow a remote authenticated user to obtain sensitive information, caused by improper filtering of URLs. By submitting a specially crafted HTTP GET request, an attacker could exploit this vulnerability to view application source code, system configuration information, or other sensitive data related to the Management Interface. IBM X-Force ID: 272651.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/272651	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/7092383	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:ibm:virtualization_engine_ts7760_3957-vec_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ibm:virtualization_engine_ts7760_3957-vec:r5.2.1:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:ibm:virtualization_engine_ts7760_3957-vec_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ibm:virtualization_engine_ts7760_3957-vec:r5.3:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:ibm:virtualization_engine_ts7770_3957-ved_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ibm:virtualization_engine_ts7770_3957-ved:r5.2.1:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:ibm:virtualization_engine_ts7770_3957-ved_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ibm:virtualization_engine_ts7770_3957-ved:r5.3:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:ibm:virtualization_engine_ts7770_3948-ved_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ibm:virtualization_engine_ts7770_3948-ved:r5.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-12-13 21:15

Updated : 2023-12-19 02:08

NVD link : CVE-2023-49877

Mitre link : CVE-2023-49877

CVE.ORG link : CVE-2023-49877

JSON object : View

Products Affected

ibm

virtualization_engine_ts7770_3948-ved_firmware
virtualization_engine_ts7760_3957-vec_firmware
virtualization_engine_ts7760_3957-vec
virtualization_engine_ts7770_3948-ved
virtualization_engine_ts7770_3957-ved_firmware
virtualization_engine_ts7770_3957-ved

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-49877", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-12-13T21:15:08.040", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/272651", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/7092383", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "psirt@us.ibm.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "IBM System Storage Virtualization Engine TS7700 3957-VEC, 3948-VED and 3957-VEC could allow a remote authenticated user to obtain sensitive information, caused by improper filtering of URLs. By submitting a specially crafted HTTP GET request, an attacker could exploit this vulnerability to view application source code, system configuration information, or other sensitive data related to the Management Interface. IBM X-Force ID: 272651."}, {"lang": "es", "value": "IBM System Storage Virtualization Engine TS7700 3957-VEC, 3948-VED y 3957-VEC podr\u00eda permitir que un usuario autenticado remotamente obtenga informaci\u00f3n confidencial, causada por un filtrado inadecuado de las URL. Al enviar una solicitud HTTP GET especialmente manipulada, un atacante podr\u00eda aprovechar esta vulnerabilidad para ver el c\u00f3digo fuente de la aplicaci\u00f3n, informaci\u00f3n de configuraci\u00f3n del sistema u otros datos confidenciales relacionados con la interfaz de administraci\u00f3n. ID de IBM X-Force: 272651."}], "lastModified": "2023-12-19T02:08:47.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:ibm:virtualization_engine_ts7760_3957-vec_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6AE6909-E2BD-4E40-ACCF-42539FC45520", "versionEndIncluding": "8.52.103.23"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:ibm:virtualization_engine_ts7760_3957-vec:r5.2.1:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F1F27A40-DCF1-49D5-8550-C9135A7775C2"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:ibm:virtualization_engine_ts7760_3957-vec_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7D6C62B2-B179-40AE-8D3E-0C1C44B129C7", "versionEndIncluding": "8.53.1.21"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:ibm:virtualization_engine_ts7760_3957-vec:r5.3:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "75A467BF-72F2-428C-AD92-DAD31C5D1E6B"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:ibm:virtualization_engine_ts7770_3957-ved_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6CA58C54-0E7F-40F6-9204-8961A58BCECA", "versionEndIncluding": "8.52.103.23"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:ibm:virtualization_engine_ts7770_3957-ved:r5.2.1:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3F009408-2553-4A3D-808A-E390295A66E0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:ibm:virtualization_engine_ts7770_3957-ved_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E04A6F2B-1762-48FD-A794-9E01D1D9E3C3", "versionEndIncluding": "8.53.1.21"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:ibm:virtualization_engine_ts7770_3957-ved:r5.3:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "29DAE222-4508-4BCA-B17D-2CEBF1A34B4A"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:ibm:virtualization_engine_ts7770_3948-ved_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DA59D69-2B5C-4728-AF12-6C7D59A9CD38", "versionEndIncluding": "8.53.1.21"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:ibm:virtualization_engine_ts7770_3948-ved:r5.3:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FCDA91D5-7A2D-4047-B3FB-21EF8274C2AA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@us.ibm.com"}