Security Bulletin: IBM TRIRIGA Application Platform Privilege Escalation (CVE-2017-1171)

2018-06-17T15:38:07

Description

## Summary Applications running in the IBM TRIRIGA Application Platform are vulnerable to a privilege escalation attack. ## Vulnerability Details **CVEID:** [CVE-2017-1171](<https://vulners.com/cve/CVE-2017-1171>) **DESCRIPTION:** The IBM TRIRIGA Application platform contains a vulnerability that could allow an authenticated user to execute Application actions they do not have access to. CVSS Base Score: 4.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/123231> for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) ## Affected Products and Versions The following IBM TRIRIGA Platform versions are affected. · IBM TRIRIGA Application Platform 3.5.0 - 3.5.2.0. · IBM TRIRIGA Application Platform 3.4.0 - 3.4.2.5. · IBM TRIRIGA Application Platform 3.3.0 - 3.3.2.5. ## Remediation/Fixes _Product_ | _VRMF_| _APAR_| _Remediation/First Fix_ ---|---|---|--- IBM TRIRIGA Application Platform| 3.5.2.1| | The fix is available in IBM TRIRIGA Application Platform 3.5.2.1 which is available for download on [_IBM Fix Central_](<https://www-945.ibm.com/support/fixcentral/>). IBM TRIRIGA Application Platform| 3.4.2.6| | The application fix pack is available through IBM TRIRIGA Customer support as a Limited Available Fix Pack. A request can be made through the [_IBM Support Portal_](<https://www-947.ibm.com/support/entry/portal/support>). IBM TRIRIGA Application Platform| 3.3.2.6| | The application fix pack is available through IBM TRIRIGA Customer support as a Limited Available Fix Pack. A request can be made through the [_IBM Support Portal_](<https://www-947.ibm.com/support/entry/portal/support>). ## Workarounds and Mitigations Until you apply the fixes, it may be possible to reduce the risk of a successful attack by restricting access to internal networks, and not allowing external/Internet access to the application. ##

Affected Software

CPE Name	Name	Version
	ibm tririga application platform	3.3
	ibm tririga application platform	3.3.1
	ibm tririga application platform	3.3.2
	ibm tririga application platform	3.4
	ibm tririga application platform	3.4.1
	ibm tririga application platform	3.4.2
	ibm tririga application platform	3.5
	ibm tririga application platform	3.5.1
	ibm tririga application platform	3.5.2

{"id": "1D13FEEB583520A092C18514D1C380C139D968CE6A485BB16B9C1CC1AF50D757", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: IBM TRIRIGA Application Platform Privilege Escalation (CVE-2017-1171)", "description": "## Summary\n\nApplications running in the IBM TRIRIGA Application Platform are vulnerable to a privilege escalation attack.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-1171](<https://vulners.com/cve/CVE-2017-1171>) \n**DESCRIPTION:** The IBM TRIRIGA Application platform contains a vulnerability that could allow an authenticated user to execute Application actions they do not have access to. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/123231> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nThe following IBM TRIRIGA Platform versions are affected. \n \n\u00b7 IBM TRIRIGA Application Platform 3.5.0 - 3.5.2.0. \n\u00b7 IBM TRIRIGA Application Platform 3.4.0 - 3.4.2.5. \n\u00b7 IBM TRIRIGA Application Platform 3.3.0 - 3.3.2.5.\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM TRIRIGA Application Platform| 3.5.2.1| \n| \n\nThe fix is available in IBM TRIRIGA Application Platform 3.5.2.1 which is available for download on [_IBM Fix Central_](<https://www-945.ibm.com/support/fixcentral/>). \n \nIBM TRIRIGA Application Platform| 3.4.2.6| \n| \n\nThe application fix pack is available through IBM TRIRIGA Customer support as a Limited Available Fix Pack. A request can be made through the [_IBM Support Portal_](<https://www-947.ibm.com/support/entry/portal/support>). \n \nIBM TRIRIGA Application Platform| 3.3.2.6| \n| \n\nThe application fix pack is available through IBM TRIRIGA Customer support as a Limited Available Fix Pack. A request can be made through the [_IBM Support Portal_](<https://www-947.ibm.com/support/entry/portal/support>). \n \n## Workarounds and Mitigations\n\nUntil you apply the fixes, it may be possible to reduce the risk of a successful attack by restricting access to internal networks, and not allowing external/Internet access to the application.\n\n## ", "published": "2018-06-17T15:38:07", "modified": "2018-06-17T15:38:07", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.0}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, "href": "https://www.ibm.com/support/pages/node/295323", "reporter": "IBM", "references": [], "cvelist": ["CVE-2017-1171"], "immutableFields": [], "lastseen": "2023-02-21T01:45:52", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1171"]}], "rev": 4}, "score": {"value": 0.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2017-1171"]}, {"type": "symantec", "idList": ["SMNTC-111284"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "ibm tririga application platform", "version": 3}, {"name": "ibm tririga application platform", "version": 3}, {"name": "ibm tririga application platform", "version": 3}, {"name": "ibm tririga application platform", "version": 3}, {"name": "ibm tririga application platform", "version": 3}, {"name": "ibm tririga application platform", "version": 3}, {"name": "ibm tririga application platform", "version": 3}, {"name": "ibm tririga application platform", "version": 3}, {"name": "ibm tririga application platform", "version": 3}]}, "epss": [{"cve": "CVE-2017-1171", "epss": "0.000490000", "percentile": "0.163120000", "modified": "2023-03-18"}], "vulnersScore": 0.7}, "_state": {"dependencies": 1676944113, "score": 1676943997, "affected_software_major_version": 1677355290, "epss": 1679165106}, "_internal": {"score_hash": "43830a59cdf60e4412b4de55b9fa94a8"}, "affectedSoftware": [{"version": "3.3", "operator": "eq", "name": "ibm tririga application platform"}, {"version": "3.3.1", "operator": "eq", "name": "ibm tririga application platform"}, {"version": "3.3.2", "operator": "eq", "name": "ibm tririga application platform"}, {"version": "3.4", "operator": "eq", "name": "ibm tririga application platform"}, {"version": "3.4.1", "operator": "eq", "name": "ibm tririga application platform"}, {"version": "3.4.2", "operator": "eq", "name": "ibm tririga application platform"}, {"version": "3.5", "operator": "eq", "name": "ibm tririga application platform"}, {"version": "3.5.1", "operator": "eq", "name": "ibm tririga application platform"}, {"version": "3.5.2", "operator": "eq", "name": "ibm tririga application platform"}]}

{"cve": [{"lastseen": "2023-02-08T15:44:53", "description": "The IBM TRIRIGA Application Platform 3.3, 3,4, and 3,5 contain a vulnerability that could allow an authenticated user to execute Application actions they do not have access to. IBM Reference #: 2001083.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2017-03-31T18:59:00", "type": "cve", "title": "CVE-2017-1171", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1171"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:ibm:tririga_application_platform:3.3.0.1", "cpe:/a:ibm:tririga_application_platform:3.5.1.3", "cpe:/a:ibm:tririga_application_platform:3.4.0.0", "cpe:/a:ibm:tririga_application_platform:3.5.0.1", "cpe:/a:ibm:tririga_application_platform:3.4.0.1", "cpe:/a:ibm:tririga_application_platform:3.4.1.0", "cpe:/a:ibm:tririga_application_platform:3.4.1.2", "cpe:/a:ibm:tririga_application_platform:3.4.2.3", "cpe:/a:ibm:tririga_application_platform:3.3.1.1", "cpe:/a:ibm:tririga_application_platform:3.4.2.4", "cpe:/a:ibm:tririga_application_platform:3.4.2.0", "cpe:/a:ibm:tririga_application_platform:3.4.2.2", "cpe:/a:ibm:tririga_application_platform:3.3.0.2", "cpe:/a:ibm:tririga_application_platform:3.3.2.3", "cpe:/a:ibm:tririga_application_platform:3.4.2.1", "cpe:/a:ibm:tririga_application_platform:3.3.1.0", "cpe:/a:ibm:tririga_application_platform:3.3.0.0", "cpe:/a:ibm:tririga_application_platform:3.4.1.3", "cpe:/a:ibm:tririga_application_platform:3.3.1.2", "cpe:/a:ibm:tririga_application_platform:3.5.1.2", "cpe:/a:ibm:tririga_application_platform:3.5.0.2", "cpe:/a:ibm:tririga_application_platform:3.4.1.1", "cpe:/a:ibm:tririga_application_platform:3.5.1", "cpe:/a:ibm:tririga_application_platform:3.5.1.1", "cpe:/a:ibm:tririga_application_platform:3.3.2.5", "cpe:/a:ibm:tririga_application_platform:3.3.2.4", "cpe:/a:ibm:tririga_application_platform:3.3.2.1", "cpe:/a:ibm:tririga_application_platform:3.5.2", "cpe:/a:ibm:tririga_application_platform:3.4.2.5", "cpe:/a:ibm:tririga_application_platform:3.3.1.3", "cpe:/a:ibm:tririga_application_platform:3.3.2.2", "cpe:/a:ibm:tririga_application_platform:3.3.2.0", "cpe:/a:ibm:tririga_application_platform:3.5.0.0"], "id": "CVE-2017-1171", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1171", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ibm:tririga_application_platform:3.3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:tririga_application_platform:3.5.0.1:*:*:*:*:*:*:*"]}]}

Security Bulletin: IBM TRIRIGA Application Platform Privilege Escalation (CVE-2017-1171)

Description

Affected Software

Related