CVE-2015-1937
Summary
| CVE | CVE-2015-1937 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-05-30 19:59:00 UTC |
| Updated | 2016-11-30 03:00:00 UTC |
| Description | IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator privileges, via a session on port 27017. |
Risk And Classification
Problem Types: CWE-284
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ibm | Powervc | 1.2.0.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.3 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.3 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.4 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.4 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.3 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.3 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.4 | All | All | All |
| Application | Ibm | Powervc | 1.2.0.4 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.1.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.0 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.1 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.2 | All | All | All |
| Application | Ibm | Powervc | 1.2.2.2 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| IBM Security Bulletin: Ceilometer database access unrestricted in PowerVC (CVE-2015-1937) - United States | CONFIRM | www-01.ibm.com | Patch, Vendor Advisory |
| IT08806: IBM PowerVC is using a ceilometer database that does not have authentication enabled. | AIXAPAR | www-01.ibm.com | |
| IBM PowerVC CVE-2015-1937 Authentication Bypass Vulnerability | BID | www.securityfocus.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.