CVE-2018-1744
https://notcve.org/view.php?id=CVE-2018-1744
IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 148423. IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7 y 3.0 podría permitir que un atacante remoto salte directorios en el sistema. Un atacante podría enviar una petición URL especialmente manipulada que contenga secuencias "punto punto" (/../) para visualizar archivos arbitrarios en el sistema. • https://exchange.xforce.ibmcloud.com/vulnerabilities/148423 https://www.ibm.com/support/docview.wss?uid=ibm10733353 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-1747
https://notcve.org/view.php?id=CVE-2018-1747
IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 148428. Las versiones 2.5, 2.6, 2.7 y 3.0 de IBM Security Key Lifecycle Manager son vulnerables a ataques XXE (XML External Entity) al procesar datos XML. Un atacante remoto podría explotar esta vulnerabilidad para exponer información sensible o consumir recursos de la memoria. • https://exchange.xforce.ibmcloud.com/vulnerabilities/148428 https://www.ibm.com/support/docview.wss?uid=ibm10733429 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2014-0872
https://notcve.org/view.php?id=CVE-2014-0872
The installation process in IBM Security Key Lifecycle Manager 2.5 stores unencrypted credentials, which might allow local users to obtain sensitive information by leveraging root access. IBM X-Force ID: 90988. El proceso de instalación en IBM Security Key Lifecycle Manager 2.5 almacena credenciales sin cifrar, lo que podría permitir que usuarios locales obtengan información sensible aprovechando el acceso root. IBM X-Force ID: 90988. • https://exchange.xforce.ibmcloud.com/vulnerabilities/90988 https://www.ibm.com/blogs/psirt/ibm-security-bulletin-unencrypted-credentials-stored-on-ibm-security-key-lifecycle-manager-server-cve-2014-0872 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-255: Credentials Management Errors •
CVE-2017-1668
https://notcve.org/view.php?id=CVE-2017-1668
IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 133562. IBM Tivoli Key Lifecycle Manager 2.5, 2.6 y 2.7 podría permitir que un atacante remoto lleve a cabo ataques de phishing empleando un ataque de redirección abierta. • http://www.ibm.com/support/docview.wss?uid=swg22012010 http://www.securityfocus.com/bid/102430 https://exchange.xforce.ibmcloud.com/vulnerabilities/133562 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2017-1670
https://notcve.org/view.php?id=CVE-2017-1670
IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 133637. IBM Tivoli Key Lifecycle Manager 2.5, 2.6, y 2.7 es vulnerable a una inyección SQL. Un atacante remoto podría enviar instrucciones SQL especialmente manipuladas que podrían permitir que el atacante viese, añadiese, modificase o borrase información en la base de datos del backend. • http://www.ibm.com/support/docview.wss?uid=swg22012009 http://www.securityfocus.com/bid/102429 https://exchange.xforce.ibmcloud.com/vulnerabilities/133637 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •