Vulnerability Details : CVE-2016-3028
IBM Security Access Manager for Web 7.0 before IF2 and 8.0 before 8.0.1.4 IF3 and Security Access Manager 9.0 before 9.0.1.0 IF5 allow remote authenticated users to execute arbitrary commands by leveraging LMI admin access.
Products affected by CVE-2016-3028
- cpe:2.3:a:ibm:security_access_manager_for_web:8.0.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:security_access_manager_for_web:8.0.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:security_access_manager_for_web:8.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:security_access_manager_for_web:8.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:security_access_manager_for_web:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:security_access_manager_for_web:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:security_access_manager_for_web:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:security_access_manager_for_web:8.0.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:security_access_manager_for_web:8.0.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:security_access_manager:9.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:security_access_manager:9.0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:security_access_manager:9.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-3028
1.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-3028
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
9.1
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
2.3
|
6.0
|
NIST |
CWE ids for CVE-2016-3028
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-3028
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IV89326
IBM notice: The page you requested cannot be displayedBroken Link
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IV89257
IBM notice: The page you requested cannot be displayedBroken Link
-
http://www-01.ibm.com/support/docview.wss?uid=swg1IV89322
IBM notice: The page you requested cannot be displayedBroken Link
-
http://www-01.ibm.com/support/docview.wss?uid=swg21990317
IBM Security Bulletin: A command injection vulnerability has been identified in IBM Security Access Manager for Web appliances (CVE-2016-3028)Vendor Advisory
-
http://www.securityfocus.com/bid/93176
IBM Security Access Manager CVE-2016-3028 Remote Command Injection Vulnerability
Jump to