Security Bulletin: Incorrect permissions on restored files and directories using IBM Spectrum Protect Backup-Archive Client web user interface on Windows (CVE-2019-4093)

Summary

Files and directories restored using the IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client web user interface on Windows may have incorrect permissions.

Vulnerability Details

CVEID: CVE-2019-4093 DESCRIPTION: IBM Tivoli Storage Manager could allow a user to restore files and directories using IBM Spectrum Prootect Client Web User Interface on Windows that they should not have access to due to incorrect file permissions.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157981&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

IBM Spectrum Protect (formerly Tivoli Storage Manager) Backup-Archive Client web user interface version 8.1.7 on Windows.

Remediation/Fixes

Spectrum Protect Backup-Archive
Client Release

|

First Fixing
VRM Level

| Platform | APAR | Link to Fix
—|—|—|—|—
8.1.7 | 8.1.7.1 | Windows | IT28315 |

<http://www.ibm.com/support/docview.wss?uid=swg24043653&gt;

Workarounds and Mitigations

None.