Flashes (Alerts)
Abstract
The Eclipse components that display the help content in IBM Data Studio version 3.1 and 3.1.1 are vulnerable to redirect and cross-site scripting attacks.
Content
AFFECTED PRODUCTS:
IBM Data Studio version 3.1 and 3.1.1 running on Microsoft Windows or Linux operating systems.
| ID | Description | CVSS |
|---|---|---|
| CVE-2012-2159 | The IBM Data Studio Help system contains an open redirect vulnerability. A Data Studio user needs to be tricked into inserting a mal-formed URL address into the browser or click on a mal-formed URL link. For more information, see https://exchange.xforce.ibmcloud.com/vulnerabilities/74832. | CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/74832 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) |
| CVE-2012-2161 | The IBM Data Studio Help system contains a Cross-Site Scripting vulnerability. A Data Studio user needs to be tricked into inserting a mal-formed URL address into the browser or click on a mal-formed URL link. For more information, see https://exchange.xforce.ibmcloud.com/vulnerabilities/74833. | CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/74833 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) |
| CVE-2013-0467 | The IBM Data Studio Help system contains a vulnerability that could allow disclosure of source code on the help system server. For more information, see https://exchange.xforce.ibmcloud.com/vulnerabilities/81102. | CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81102 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N) |
REMEDIATION:
Fix:
Upgrade to IBM Data Studio 3.2:
http://www.ibm.com/developerworks/downloads/im/data/Workaround:
Access the IBM Data Studio Information Center on the web:
http://pic.dhe.ibm.com/infocenter/dstudio/v3r2/index.jspMitigation:
Do not use URLs or click on links to the Data Studio help system that are provided to you by untrusted sources. You should not use a URL that contain extra parameters or text that are unrelated to the Data Studio help system.
REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database (74832)
· X-Force Vulnerability Database (74833)
· X-Force Vulnerability Database (81102)
· CVE-2012-2159
· CVE-2012-2161
· CVE-2013-0467
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Program
CHANGE HISTORY:
15 February 2013: Original publication.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Was this topic helpful?
Document Information
Modified date:
25 September 2022
UID
swg21625573