Multiple vulnerabilities in IBM System Storage Virtualization Engine TS7700



Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2023-49877
CVE-2023-49878
CWE-ID CWE-200
CWE-209
Exploitation vector Network
Public exploit N/A
Vulnerable software
IBM Virtualization Engine TS7700 3948-VED
Other software / Other software solutions

Virtualization Engine TS7700 3957-VED
Hardware solutions / Firmware

Virtualization Engine TS7700 3957-VEC
Hardware solutions / Firmware

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU91591

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-49877

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to improper filtering of URLs. A remote user can submit a specially crafted HTTP GET request to view application source code, system configuration information, or other sensitive data related to the Management Interface

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Virtualization Engine TS7700 3948-VED: before 8.53.1.21 VTD_EXEC.903

Virtualization Engine TS7700 3957-VED: before 8.52.103.23 VTD_EXEC.901

Virtualization Engine TS7700 3957-VEC: before 8.52.103.23 VTD_EXEC.901

CPE2.3 External links

http://www.ibm.com/support/pages/node/7092383


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information Exposure Through an Error Message

EUVDB-ID: #VU91590

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-49878

CWE-ID: CWE-209 - Information Exposure Through an Error Message

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability occurs when a detailed technical error message is returned in the browser. A remote user can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Virtualization Engine TS7700 3948-VED: before 8.53.1.21 VTD_EXEC.903

Virtualization Engine TS7700 3957-VED: before 8.52.103.23 VTD_EXEC.901

Virtualization Engine TS7700 3957-VEC: before 8.52.103.23 VTD_EXEC.901

CPE2.3 External links

http://www.ibm.com/support/pages/node/7092383


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###