CVE-2014-4803

CRLF injection vulnerability in the Universal Access implementation in IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before 6.0.4.5 iFix007, and 6.0.5 before 6.0.5.5 iFix003, when WebSphere Application Server is not used, allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via an unspecified parameter.

CVSS v2.0 3.5 LOW

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg21695925	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/95305

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:curam_social_program_management::sp2::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.4.0:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.4.1:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.4.2:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.4.3:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.4.4:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.4.5:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.5.0:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.5.1:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.5.2:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.5.3:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.5.4:::::::*
	cpe:2.3:a:ibm:curam_social_program_management:6.0.5.5:::::::*

History

No history.

Information

Published : 2015-02-13 02:59

Updated : 2023-12-10 11:31

NVD link : CVE-2014-4803

Mitre link : CVE-2014-4803

CVE.ORG link : CVE-2014-4803

JSON object : View

Products Affected

ibm

curam_social_program_management

CWE

NVD-CWE-Other

{"id": "CVE-2014-4803", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2015-02-13T02:59:02.563", "references": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21695925", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95305", "source": "psirt@us.ibm.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "CRLF injection vulnerability in the Universal Access implementation in IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before 6.0.4.5 iFix007, and 6.0.5 before 6.0.5.5 iFix003, when WebSphere Application Server is not used, allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via an unspecified parameter."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n CRLF en la implementaci\u00f3n Universal Access en IBM Curam Social Program Management 6.0 SP2 anterior a EP26, 6.0.4 anterior a 6.0.4.5 iFix007, y 6.0.5 anterior a 6.0.5.5 iFix003, cuando WebSphere Application Server no est\u00e1 utilizado, permite a usuarios remotos autenticados inyectar cabeceras HTTP arbitrarias y realizar ataques de la divisi\u00f3n de respuestas HTTP a trav\u00e9s de un par\u00e1metro no especificado."}], "lastModified": "2017-08-29T01:35:07.703", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:curam_social_program_management:*:sp2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2530A07-5606-47F9-A469-111974655233", "versionEndIncluding": "6.0"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEFDBB0F-A8C9-40DF-81CF-799D034D2EE0"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB8E3B08-7171-414D-8A41-14C9E18B1BAB"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.4.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "940271A7-2CC3-4A34-BB5A-D9F4D45A7895"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A2F3FDC1-B49D-46DD-B9F7-DCE3F1FD4B5A"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.4.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13AA664F-BCD8-4CED-A201-E2543D437E1C"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.4.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6711519-4E7D-4782-8372-7996C24E50D6"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17929DC8-0E48-4BF4-AAFE-6463C8540FF9"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.5.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2FD3FF4C-C12A-4CBC-8983-85929C5D121E"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.5.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAE6D88C-92CF-415E-978C-0107C4C4C52C"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.5.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB928C52-91BB-43A6-B25F-F359F05F1388"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.5.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "25DE6951-4C91-4443-843C-805D416F4074"}, {"criteria": "cpe:2.3:a:ibm:curam_social_program_management:6.0.5.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23EA1C1F-003F-4411-AC1D-F75811D6FFEC"}], "operator": "OR"}]}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/93.html\" target=\"_blank\">CWE-93: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a>", "sourceIdentifier": "psirt@us.ibm.com"}