Multiple vulnerabilities in IBM System Storage Virtualization Engine TS7700
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-49877 CVE-2023-49878 |
| CWE-ID | CWE-200 CWE-209 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM Virtualization Engine TS7700 3948-VED Other software / Other software solutions Virtualization Engine TS7700 3957-VED Hardware solutions / Firmware Virtualization Engine TS7700 3957-VEC Hardware solutions / Firmware |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU91591
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-49877
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to improper filtering of URLs. A remote user can submit a specially crafted HTTP GET request to view application source code, system configuration information, or other sensitive data related to the Management Interface
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Virtualization Engine TS7700 3948-VED: before 8.53.1.21 VTD_EXEC.903
Virtualization Engine TS7700 3957-VED: before 8.52.103.23 VTD_EXEC.901
Virtualization Engine TS7700 3957-VEC: before 8.52.103.23 VTD_EXEC.901
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_virtualization_engine_ts7700_3948-ved:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:virtualization_engine_ts7700_3957-ved:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:virtualization_engine_ts7700_3957-vec:*:*:*:*:*:*:*:
http://www.ibm.com/support/pages/node/7092383
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information Exposure Through an Error Message
EUVDB-ID: #VU91590
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-49878
CWE-ID:
CWE-209 - Information Exposure Through an Error Message
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability occurs when a detailed technical error message is returned in the browser. A remote user can gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Virtualization Engine TS7700 3948-VED: before 8.53.1.21 VTD_EXEC.903
Virtualization Engine TS7700 3957-VED: before 8.52.103.23 VTD_EXEC.901
Virtualization Engine TS7700 3957-VEC: before 8.52.103.23 VTD_EXEC.901
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_virtualization_engine_ts7700_3948-ved:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:virtualization_engine_ts7700_3957-ved:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:virtualization_engine_ts7700_3957-vec:*:*:*:*:*:*:*:
http://www.ibm.com/support/pages/node/7092383
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
