CVE-2019-4061 : IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the relay remot

IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the relay remotely and gather information about the updates and fixlets deployed to the associated sites due to not enabling authenticated access. IBM X-Force ID: 156869.

Published 2019-02-27 22:29:01

Updated 2023-02-03 20:26:36

Source IBM Corporation

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2019-4061

IBM » Bigfix Platform
Versions from including (>=) 9.5 and up to, including, (<=) 9.5.11
cpe:2.3:a:ibm:bigfix_platform:*:*:*:*:*:*:*:*
Matching versions
IBM » Bigfix Platform
Versions from including (>=) 9.2 and up to, including, (<=) 9.2.16
cpe:2.3:a:ibm:bigfix_platform:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-4061

EPSS FAQ

59.88%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 98 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2019-4061

IBM BigFix Relay Server Sites and Package Enum

Disclosure Date: 2019-03-18

First seen: 2020-04-26

auxiliary/gather/ibm_bigfix_sites_packages_enum

This module retrieves masthead, site, and available package information from IBM BigFix Relay Servers. Authors: - HD Moore - Chris Bellows - Ryan Hanson - Jacob Robles

More information

CVSS scores for CVE-2019-4061

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	IBM Corporation
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2019-4061

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-4061

https://exchange.xforce.ibmcloud.com/vulnerabilities/156869

IBM BigFix Platform information disclosure CVE-2019-4061 Vulnerability Report
VDB Entry;Vendor Advisory
http://www.securityfocus.com/bid/107189

IBM BigFix Platform CVE-2019-4061 Information Disclosure Vulnerability
Broken Link;Third Party Advisory;VDB Entry
http://www.rapid7.com/db/modules/auxiliary/gather/ibm_bigfix_sites_packages_enum

IBM BigFix Relay Server Sites and Package Enum | Rapid7
Third Party Advisory
http://www.ibm.com/support/docview.wss?uid=ibm10870242

IBM Security Bulletin: BigFix deployments with internet-facing relays that are not configured as authenticating are prone to security threats (CVE-2019-4061)
Broken Link;Vendor Advisory

Jump to