Vulnerability Details : CVE-2016-2894
IBM Spectrum Protect (formerly Tivoli Storage Manager) 5.5 through 6.3 before 6.3.2.6, 6.4 before 6.4.3.3, and 7.1 before 7.1.6 allows local users to obtain sensitive retrieved data from arbitrary accounts in opportunistic circumstances by leveraging previous use of a symlink during archive and retrieve actions.
Products affected by CVE-2016-2894
- cpe:2.3:a:ibm:tivoli_storage_manager:5.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.3.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:5.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:5.5.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:5.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.3.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:5.5.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:5.5.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.2.200:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:6.4.2.100:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.3.100:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.1.200:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.1.100:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.5.200:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1..5.100:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.3.000:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:tivoli_storage_manager:7.1.1.300:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-2894
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 14 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-2894
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
|
2.5
|
LOW | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
1.0
|
1.4
|
NIST |
CWE ids for CVE-2016-2894
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-2894
-
http://www.securityfocus.com/bid/91534
IBM Tivoli Storage Manager Client CVE-2016-2894 Local Information Disclosure Vulnerability
-
http://www-01.ibm.com/support/docview.wss?uid=swg21985579
IBM Security Bulletin: Unauthorized Access Vulnerability affects IBM Tivoli Storage Manager Client (CVE-2016-2894)Vendor Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IT13686
IBM IT13686: ACL LOST AFTER RETRIEVE OF A SYMBOLIC LINK IF LINK CROSSES FILESYSTEM BOUNDARY CAN RESULT IN AN UNAUTHORIZED ACCESS
-
http://www.securitytracker.com/id/1036220
IBM Tivoli Storage Manager Symlink Archive Flaw Lets Users View Privileged Files on the Target System - SecurityTracker
Jump to