CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
23.5%
IBM Security Key Lifecycle Manager specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. In case of Windows operating system, all user accounts with access to the system will have read access to all the application backups created in the SKLM_DATA folder.
CVEID: CVE-2018-1750 DESCRIPTION: IBM Tivoli Key Lifecycle Manager specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CVSS Base Score: 4.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148511> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
IBM Security Key Lifecycle Manager: v3.0- 3.0.0.1
IBM Security Key Lifecycle Manager: v2.7- 2.7.0.4
IBM Security Key Lifecycle Manager: v2.6- 2.6.0.5
Product
| VRMF | Remediation/First Fix
—|—|—
IBM Security Key Lifecycle Manager | 3.0- 3.0.0.1 | 3.0.0-ISS-SKLM-FP0002
On LNUX servers, there is a sklmPermission.sh sklmPermissions.sh script provided from 3.0.0-ISS-SKLM-FP0002 onwards.
For Windows server, as a workaround, windows users can change or remove the read access to all users except Administrator.
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | security_key_lifecycle_manager | 3.0 | cpe:2.3:a:ibm:security_key_lifecycle_manager:3.0:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
23.5%