Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2015-0104

CWE-284 — Improper Access Control4 documents4 sources

Severity

8.8HIGH

EPSS

2.0%

top 16.18%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

IBM Change AND Configuration Management Database IBM Maximo Asset Management IBM Maximo Asset Management Essentials +8 more

Timeline

PublishedApr 24

Latest updateMay 17

Description

IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to execute arbitrary code via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶NVDibm/maximo_asset_management8 versions+7

▶NVDibm/tivoli_asset_management7.1, 7.2+1

▶NVDibm/maximo_asset_management_essentials7.1

▶NVDibm/change_and_configuration_management_database7.1, 7.2+1

▶NVDibm/tivoli_service_request_manager7.1, 7.2+1

Patches

Patch: www-01.ibm.com ↗Patch: www-01.ibm.com ↗

🔴Vulnerability Details

GHSA

GHSA-p22g-469r-3wx4: IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7↗2022-05-17

▶

CVEList

CVE-2015-0104: IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7↗2017-04-24

▶

💥Exploits & PoCs

Exploit-DB

IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution↗2014-12-12

▶