Sign-up

ID

VAR-201410-1052


CVE

CVE-2014-3060


TITLE

IBM WebSphere DataPower XC10 Vulnerability in an appliance that gains administrator privileges

Trust: 0.8

sources: JVNDB: JVNDB-2014-004504

DESCRIPTION

Unspecified vulnerability on the IBM WebSphere DataPower XC10 appliance 2.5 allows remote attackers to obtain administrative privileges by leveraging access to an eXtreme Scale distributed ObjectGrid network and capturing a session cookie. IBM WebSphere DataPower XC10 Appliance is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information. Information obtained may lead to further attacks. IBM WebSphere DataPower XC10 Appliance 2.5 is vulnerable. The platform enables distributed caching of data with little to no change to existing applications. The loophole comes from the fact that the program does not set the security attribute when creating a session cookie

Trust: 1.98

sources: NVD: CVE-2014-3060 // JVNDB: JVNDB-2014-004504 // BID: 70271 // VULHUB: VHN-70999

AFFECTED PRODUCTS

vendor:ibmmodel:websphere datapower xc10 appliancescope:eqversion:2.5.0.0

Trust: 1.6

vendor:ibmmodel:websphere datapower xc10 appliancescope:eqversion: -

Trust: 1.0

vendor:ibmmodel:websphere datapower xc10 the appliancescope:eqversion:2.5.0

Trust: 0.8

vendor:ibmmodel:websphere datapower xc10 the appliancescope: - version: -

Trust: 0.8

vendor:ibmmodel:websphere datapower xc10 appliancescope:eqversion:2.5

Trust: 0.3

sources: BID: 70271 // JVNDB: JVNDB-2014-004504 // CNNVD: CNNVD-201410-006 // NVD: CVE-2014-3060

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-3060
value: HIGH

Trust: 1.0

NVD: CVE-2014-3060
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201410-006
value: CRITICAL

Trust: 0.6

VULHUB: VHN-70999
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-3060
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-70999
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-70999 // JVNDB: JVNDB-2014-004504 // CNNVD: CNNVD-201410-006 // NVD: CVE-2014-3060

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2014-3060

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-006

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201410-006

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-004504

PATCH
title:IT03476url:http://www-01.ibm.com/support/docview.wss?uid=swg1IT03476
Trust: 0.8
title:1685705url:http://www-01.ibm.com/support/docview.wss?uid=swg21685705
Trust: 0.8
title:2.5.0.4-WS-DPXC10-VIRTurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54166
Trust: 0.6
title:2.5.0-WS-DPXC10-7199-FP0000004url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54165
Trust: 0.6
title:2.5.0-WS-DPXC10-7199-VSL-3.2.6-FP0000004url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=54164
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2014-004504 // 
            
            
            
            CNNVD: CNNVD-201410-006

EXTERNAL IDS
db:NVDid:CVE-2014-3060
Trust: 2.8
db:JVNDBid:JVNDB-2014-004504
Trust: 0.8
db:CNNVDid:CNNVD-201410-006
Trust: 0.7
db:XFid:93534
Trust: 0.6
db:BIDid:70271
Trust: 0.4
db:VULHUBid:VHN-70999
Trust: 0.1
sources:
            
            
            VULHUB: VHN-70999 // 
            
            
            
            BID: 70271 // 
            
            
            
            JVNDB: JVNDB-2014-004504 // 
            
            
            
            CNNVD: CNNVD-201410-006 // 
            
            
            
            NVD: CVE-2014-3060

REFERENCES
url:http://www-01.ibm.com/support/docview.wss?uid=swg1it03476
Trust: 1.7
url:http://www-01.ibm.com/support/docview.wss?uid=swg21685705
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/93534
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3060
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3060
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/93534
Trust: 0.6
url:http://www.ibm.com/
Trust: 0.3
url:http://www-03.ibm.com/software/products/en/datapower-xc10
Trust: 0.3
url:https://www-304.ibm.com/support/docview.wss?uid=swg21685705
Trust: 0.3
sources:
            
            
            VULHUB: VHN-70999 // 
            
            
            
            BID: 70271 // 
            
            
            
            JVNDB: JVNDB-2014-004504 // 
            
            
            
            CNNVD: CNNVD-201410-006 // 
            
            
            
            NVD: CVE-2014-3060

CREDITS
IBM
Trust: 0.3
sources:
            
            
            BID: 70271

SOURCES
db:VULHUBid:VHN-70999
db:BIDid:70271
db:JVNDBid:JVNDB-2014-004504
db:CNNVDid:CNNVD-201410-006
db:NVDid:CVE-2014-3060

LAST UPDATE DATE
2025-04-13T23:14:42.041000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-70999date:2017-08-29T00:00:00
db:BIDid:70271date:2014-09-30T00:00:00
db:JVNDBid:JVNDB-2014-004504date:2014-10-03T00:00:00
db:CNNVDid:CNNVD-201410-006date:2014-10-11T00:00:00
db:NVDid:CVE-2014-3060date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-70999date:2014-10-02T00:00:00
db:BIDid:70271date:2014-09-30T00:00:00
db:JVNDBid:JVNDB-2014-004504date:2014-10-03T00:00:00
db:CNNVDid:CNNVD-201410-006date:2014-10-11T00:00:00
db:NVDid:CVE-2014-3060date:2014-10-02T00:55:03.657