CVE-2015-7494Improper Access Control in Corporation Cloud Orchestrator

CWE-284Improper Access Control3 documents3 sources
Severity
2.8LOWNVD
EPSS
0.0%
top 85.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
IBM Corporation Cloud OrchestratorIBM Cloud OrchestratorIBM Smartcloud Orchestrator
Timeline
PublishedFeb 8
Latest updateMay 17

Description

A vulnerability has been identified in IBM Cloud Orchestrator services/[action]/launch API. An authenticated domain admin user might modify cross domain resources via a /services/[action]/launch API call, provided it would have been possible for the domain admin user to gain access to a resource identifier of the other domain.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:NExploitability: 1.1 | Impact: 1.4

Affected Packages3 packages

NVDibm/cloud_orchestrator6 versions+5
NVDibm/smartcloud_orchestrator2.3, 2.3.0.1+1
CVEListV5ibm_corporation/cloud_orchestrator11 versions+10

Patches

Patch: www.ibm.comPatch: www.ibm.com

🔴Vulnerability Details

2
GHSA
GHSA-p8hg-fcwf-r2vv: A vulnerability has been identified in IBM Cloud Orchestrator services/[action]/launch API2022-05-17
CVEList
CVE-2015-7494: A vulnerability has been identified in IBM Cloud Orchestrator services/[action]/launch API2017-02-08
CVE-2015-7494 — Improper Access Control | cvebase