CVE-2018-1492

Published: Jul 10, 2018Modified: Nov 21, 2024

6.8

Vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.9 / Impact: 5.9

Source: NVD

Description

IBM Jazz Foundation products could allow a user with physical access to the system to log in as another user due to the server's failure to properly log out from the previous session. IBM X-Force ID: 140977.

Affected (13)

Products: Ibm: Rational Collaborative Lifecycle Management, Rational Team Concert, Rational Doors Next Generation, Rational Quality Manager, Rational Rhapsody Design Manager, Rational Software Architect Design Manager, Rational Engineering Lifecycle Manager

Ibm

7 products

Rational Collaborative Lifecycle Management

Rational Team Concert

Rational Doors Next Generation

Rational Quality Manager

Rational Rhapsody Design Manager

Rational Software Architect Design Manager

Rational Engineering Lifecycle Manager

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ibm Rational Collaborative Lifecycle Management	From 5.0 to 6.0.5

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Ibm Rational Team Concert	From 5.0 to 5.0.2
Ibm Rational Team Concert	From 6.0.0 to 6.0.5

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Ibm Rational Doors Next Generation	From 5.0 to 5.0.2
Ibm Rational Doors Next Generation	From 6.0.0 to 6.0.5

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Ibm Rational Quality Manager	From 5.0 to 5.0.2
Ibm Rational Quality Manager	From 6.0.0 to 6.0.5

Configuration E

2 vulnerable

Vulnerable Software	Affected Versions
Ibm Rational Rhapsody Design Manager	From 5.0 to 5.0.2
Ibm Rational Rhapsody Design Manager	From 6.0.0 to 6.0.5

Configuration F

2 vulnerable

Vulnerable Software	Affected Versions
Ibm Rational Software Architect Design Manager	From 5.0 to 5.0.2
Ibm Rational Software Architect Design Manager	From 6.0 to 6.0.1

Configuration G

2 vulnerable

Vulnerable Software	Affected Versions
Ibm Rational Engineering Lifecycle Manager	From 5.0 to 5.0.2
Ibm Rational Engineering Lifecycle Manager	From 6.0.0 to 6.0.5

Related CWEs

CWE-384

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References (4)

http://www.ibm.com/support/docview.wss?uid=ibm10716599

Source: psirt@us.ibm.com

Vendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/140977

Source: psirt@us.ibm.com

Third Party AdvisoryVDB Entry

http://www.ibm.com/support/docview.wss?uid=ibm10716599

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/140977

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.