{"api_version":"1","generated_at":"2026-04-23T01:31:40+00:00","cve":"CVE-2018-1447","urls":{"html":"https://cve.report/CVE-2018-1447","api":"https://cve.report/api/cve/CVE-2018-1447.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-1447","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-1447"},"summary":{"title":"CVE-2018-1447","description":"The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972.","state":"PUBLIC","assigner":"psirt@us.ibm.com","published_at":"2018-04-04 18:29:00","updated_at":"2019-10-03 00:03:00"},"problem_types":["CWE-916"],"metrics":[],"references":[{"url":"http://www.ibm.com/support/docview.wss?uid=swg22014669","name":"http://www.ibm.com/support/docview.wss?uid=swg22014669","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"IBM Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) Client - United States","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/104511","name":"104511","refsource":"BID","tags":[],"title":"Multiple IBM Products CVE-2018-1447 Local Information Disclosure Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.ibm.com/support/docview.wss?uid=swg22015071","name":"http://www.ibm.com/support/docview.wss?uid=swg22015071","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"IBM Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware - United States","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ibm.com/support/docview.wss?uid=swg22015066","name":"http://www.ibm.com/support/docview.wss?uid=swg22015066","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"IBM Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware - United States","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1041012","name":"1041012","refsource":"SECTRACK","tags":[],"title":"IBM Security Network Protection GSKit Flaws Let Local Users Obtain Passwords and Other Sensitive Information and Deny Service - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ibm.com/support/docview.wss?uid=swg22014957","name":"http://www.ibm.com/support/docview.wss?uid=swg22014957","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Space Management","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/139972","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/139972","refsource":"MISC","tags":["VDB Entry","Vendor Advisory"],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1447","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1447","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"1447","vulnerable":"1","versionEndIncluding":"7.1.8.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"spectrum_protect_for_space_management","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"vmware","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1447","vulnerable":"1","versionEndIncluding":"8.1.4.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"spectrum_protect_for_space_management","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"vmware","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1447","vulnerable":"1","versionEndIncluding":"7.1.8.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"spectrum_protect_for_virtual_environments","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"vmware","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1447","vulnerable":"1","versionEndIncluding":"8.1.4.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"spectrum_protect_for_virtual_environments","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"vmware","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1447","vulnerable":"1","versionEndIncluding":"4.1.6.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"spectrum_protect_snapshot","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"vmware","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"psirt@us.ibm.com","DATE_PUBLIC":"2018-03-29T00:00:00","ID":"CVE-2018-1447","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Spectrum Protect","version":{"version_data":[{"version_value":"7.1"},{"version_value":"8.1"}]}},{"product_name":"Spectrum Protect Snapshot","version":{"version_data":[{"version_value":"4.1.3"},{"version_value":"4.1.4"},{"version_value":"4.1.6"}]}},{"product_name":"Spectrum Protect for Virtual Environments","version":{"version_data":[{"version_value":"7.1"},{"version_value":"8.1"}]}},{"product_name":"Spectrum Protect for Space Management","version":{"version_data":[{"version_value":"7.1"},{"version_value":"8.1"}]}}]},"vendor_name":"IBM"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972."}]},"impact":{"cvssv3":{"BM":{"A":"N","AC":"H","AV":"L","C":"H","I":"N","PR":"N","S":"U","SCORE":"5.100","UI":"N"}}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Obtain Information"}]}]},"references":{"reference_data":[{"name":"http://www.ibm.com/support/docview.wss?uid=swg22015066","refsource":"CONFIRM","url":"http://www.ibm.com/support/docview.wss?uid=swg22015066"},{"name":"http://www.ibm.com/support/docview.wss?uid=swg22014957","refsource":"CONFIRM","url":"http://www.ibm.com/support/docview.wss?uid=swg22014957"},{"name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/139972","refsource":"MISC","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/139972"},{"name":"http://www.ibm.com/support/docview.wss?uid=swg22015071","refsource":"CONFIRM","url":"http://www.ibm.com/support/docview.wss?uid=swg22015071"},{"name":"104511","refsource":"BID","url":"http://www.securityfocus.com/bid/104511"},{"name":"1041012","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1041012"},{"name":"http://www.ibm.com/support/docview.wss?uid=swg22014669","refsource":"CONFIRM","url":"http://www.ibm.com/support/docview.wss?uid=swg22014669"}]}},"nvd":{"publishedDate":"2018-04-04 18:29:00","lastModifiedDate":"2019-10-03 00:03:00","problem_types":["CWE-916"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:spectrum_protect_for_virtual_environments:*:*:*:*:*:vmware:*:*","versionStartIncluding":"8.1.0.0","versionEndIncluding":"8.1.4.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:spectrum_protect_for_virtual_environments:*:*:*:*:*:vmware:*:*","versionStartIncluding":"7.1.0.0","versionEndIncluding":"7.1.8.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:spectrum_protect_for_space_management:*:*:*:*:*:vmware:*:*","versionStartIncluding":"8.1.0.0","versionEndIncluding":"8.1.4.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:spectrum_protect_for_space_management:*:*:*:*:*:vmware:*:*","versionStartIncluding":"7.1.0.0","versionEndIncluding":"7.1.8.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:spectrum_protect_snapshot:*:*:*:*:*:vmware:*:*","versionStartIncluding":"4.1.0.0","versionEndIncluding":"4.1.6.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"1447","Ordinal":"116971","Title":"CVE-2018-1447","CVE":"CVE-2018-1447","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"1447","Ordinal":"1","NoteData":"The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect Snapshot 4.1.3, 4.1.4, and 4.1.6) CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action. IBM X-Force ID: 139972.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"1447","Ordinal":"2","NoteData":"2018-04-04","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"1447","Ordinal":"3","NoteData":"2018-10-12","Type":"Other","Title":"Modified"}]}}}