Vulnerability Details : CVE-2014-3077
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.
Vulnerability category: Information leak
Products affected by CVE-2014-3077
- cpe:2.3:a:ibm:storwize_v7000_unified_software:1.4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:storwize_v7000_unified_software:1.3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:storwize_v7000_unified_software:1.4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:storwize_v7000_unified_software:1.3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:storwize_v7000_unified_software:1.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:storwize_v7000_unified_software:1.4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:storwize_v7000_unified_software:1.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:storwize_v7000_unified_software:1.4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:storwize_v7000_unified_software:1.4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:storwize_v7000_unified_software:1.4.2.0:*:*:*:*:*:*:*
- cpe:2.3:h:ibm:storwize_unified_v7000:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3077
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3077
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2014-3077
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3077
-
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004837
IBM Security Bulletin: Password provided for executing chkauth is logged in audit log on IBM Storwize V7000 Unified (CVE-2014-3077)Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/93906
IBM Storwize V7000 Unified password informatino disclosure CVE-2014-3077 Vulnerability Report
Jump to