CVE-2017-1287

IBM Rhapsody DM 5.0 and 6.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.

CVSS v3 5.4 MEDIUM
CVSS v2.0 4.9 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:N

Exploitability : 6.8 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.ibm.com/support/docview.wss?uid=swg22006052	Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/125148	VDB Entry

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:rhapsody_design_manager:5.0:::::::*
	cpe:2.3:a:ibm:rhapsody_design_manager:5.0.1:::::::*
	cpe:2.3:a:ibm:rhapsody_design_manager:5.0.2:::::::*
	cpe:2.3:a:ibm:rhapsody_design_manager:6.0:::::::*
	cpe:2.3:a:ibm:rhapsody_design_manager:6.0.1:::::::*
	cpe:2.3:a:ibm:rhapsody_design_manager:6.0.2:::::::*
	cpe:2.3:a:ibm:rhapsody_design_manager:6.0.3:::::::*

History

No history.

Information

Published : 2017-07-24 21:29

Updated : 2023-12-10 12:15

NVD link : CVE-2017-1287

Mitre link : CVE-2017-1287

CVE.ORG link : CVE-2017-1287

JSON object : View

Products Affected

ibm

rhapsody_design_manager

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2017-1287", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.9, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2017-07-24T21:29:00.330", "references": [{"url": "http://www.ibm.com/support/docview.wss?uid=swg22006052", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/125148", "tags": ["VDB Entry"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "IBM Rhapsody DM 5.0 and 6.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim."}, {"lang": "es", "value": "IBM Rhapsody DM en sus versiones 5.0 y 6.0 podr\u00eda permitir que un atacante remoto lleve a cabo ataques de phishing empleando un ataque de redirecci\u00f3n abierta. Al persuadir a una v\u00edctima para que visite un sitio web especialmente manipulado, un atacante remoto podr\u00eda explotar esta vulnerabilidad para suplantar la URL mostrada y redirigir al usuario a un sitio web malicioso que, a priori, parecer\u00eda de confianza. Esto podr\u00eda permitir que el atacante obtuviese informaci\u00f3n sumamente sensible o que llevase a cabo m\u00e1s ataques contra la v\u00edctima."}], "lastModified": "2017-07-28T17:02:11.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:rhapsody_design_manager:5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB9F8754-B1A3-4261-B879-8E02FADFE4FB"}, {"criteria": "cpe:2.3:a:ibm:rhapsody_design_manager:5.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "301BD8A0-35A8-4AEE-9D8F-28BC8E0C3FA3"}, {"criteria": "cpe:2.3:a:ibm:rhapsody_design_manager:5.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84620B49-B887-4A87-A2EF-6E763AB4E9D6"}, {"criteria": "cpe:2.3:a:ibm:rhapsody_design_manager:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "094E765E-C844-4E35-9CDC-F291F7082C1E"}, {"criteria": "cpe:2.3:a:ibm:rhapsody_design_manager:6.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92322AD7-00B7-496B-9924-D8929E7BAAA7"}, {"criteria": "cpe:2.3:a:ibm:rhapsody_design_manager:6.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "838DE085-54BB-4726-9E6F-FAF26EDFE539"}, {"criteria": "cpe:2.3:a:ibm:rhapsody_design_manager:6.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8973E37A-6451-4FA0-A340-4E09E4F3D21C"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}