Vulnerability Details : CVE-2015-0173
The HTTP connection-management functionality in Internet Pass-Thru (IPT) before 2.1.0.2 in IBM WebSphere MQ, when HTTPS is disabled, does not properly generate MQIPT Session IDs, which makes it easier for remote attackers to bypass intended restrictions on MQ message data by predicting an ID value.
Exploit prediction scoring system (EPSS) score for CVE-2015-0173
Probability of exploitation activity in the next 30 days: 0.20%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 56 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-0173
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2015-0173
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-0173
-
http://www-01.ibm.com/support/docview.wss?uid=swg21699547
IBM Security Bulletin: IBM WebSphere MQIPT Session IDs are predictable (CVE-2015-0173)Patch;Vendor Advisory
-
http://www.securitytracker.com/id/1032630
IBM WebSphere MQIPT Predictable Session IDs Let Remote Users Intercept Data - SecurityTracker
Products affected by CVE-2015-0173
- cpe:2.3:a:ibm:websphere_mq_internet_pass_thru:*:*:*:*:*:websphere_mq:*:*