Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:383092
HistoryOct 20, 2006 - 12:00 a.m.

IBM Lotus Notes sets insecure default permissions on program data

2006-10-2000:00:00
www.kb.cert.org
13

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

15.7%

JSON

Overview

IBM Lotus Notes sets insecure default permissions on the Notes directory. This vulnerability may allow a local attacker to gain unintended access to Lotus Notes program data.

Description

IBM Lotus Notes installs numerous program files and program data in a special directory known as the Notes directory. According to IBM Technote #21246773:

_By default, beginning with Notes 6.5.4 and affecting 6.5.5, 7.0 and 7.0.1, “Full Control” access (read/write/execute) to the Notes program and data directory is granted to the Windows group “Everyone”. _

Impact

A local attacker may be able to gain unintended access to Lotus Notes program data.

Solution

Upgrade to unaffected versions of Lotus Notes

Lotus Notes versions 6.5.6 and 7.0.2 are reportedly not affected by this issue.

Workarounds to mitigate this vulnerability can be found in IBM Technote #21246773.

Vendor Information

383092

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Lotus Software __ Affected

Updated: October 20, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21246773

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23383092 Feedback>).

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This issue was reported by Carsten Eiram of Secunia Research.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2005-2454
Severity Metric: 1.39 Date Public:

Related

securityvulns 2
cve 1
securityvulns
securityvulns
Secunia Research: IBM Lotus Notes Insecure Default FolderPermissions
2006-10-19 00:00:00
Weak IBM Lotus Notes client permissions
2006-10-19 00:00:00
cve
cve
CVE-2005-2454
2005-12-31 05:00:00

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

15.7%

JSON
Related for VU:383092
securityvulns2cve1