CVE-2015-1937
Summary
| CVE | CVE-2015-1937 |
|---|---|
| State | PUBLISHED |
| Assigner | ibm |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-05-30 19:59:02 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator privileges, via a session on port 27017. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:L/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ibm | Powervc | 1.2.0.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.3 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.3 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.4 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.4 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.2 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| IBM PowerVC CVE-2015-1937 Authentication Bypass Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| IBM Security Bulletin: Ceilometer database access unrestricted in PowerVC (CVE-2015-1937) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | Patch, Vendor Advisory |
| IT08806: IBM PowerVC is using a ceilometer database that does not have authentication enabled. | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.