Vulnerability Details : CVE-2015-4949
IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 7.1 before 7.1.2, Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1 before 7.1.2, and Tivoli Storage FlashCopy Manager 4.1 before 4.1.2 place cleartext passwords in exception messages, which allows physically proximate attackers to obtain sensitive information by reading GUI pop-up windows, a different vulnerability than CVE-2015-6557.
Vulnerability category: Information leak
Products affected by CVE-2015-4949
- cpe:2.3:a:ibm:tivoli_storage_flashcopy_manager:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_flashcopy_manager:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager_for_databases_data_protection_for_microsoft_sql_server:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager_for_databases_data_protection_for_microsoft_sql_server:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager_for_mail_data_protection_for_microsoft_exchange_server:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager_for_mail_data_protection_for_microsoft_exchange_server:7.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-4949
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 18 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-4949
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2015-4949
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-4949
-
http://www.securitytracker.com/id/1033270
IBM Tivoli Storage Manager for Databases Lets Local Users View Passwords - SecurityTracker
-
http://www-01.ibm.com/support/docview.wss?uid=swg21963630
IBM Security Bulletin: Password Disclosure via FlashCopy Manager on Windows, Data Protection for Exchange, and Data Protection for SQL CVE-2015-4949, CVE 2015-6557Patch;Vendor Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IT03480
IBM IT03480: PASSWORD DISCLOSURE VIA FLASHCOPY MANAGER ON WINDOWS, DP FOR EXCHANGE, AND DP FOR SQL CVE-2015-4949, CVE-2015-4949Vendor Advisory
Jump to