World-Writable Permissions in IBM Tivoli Integrated Portal Affecting eWAS
CVE-2014-3020

Currently unrated

Key Information:

Vendor: IBM
Status: Embedded Websphere Application Server; Tivoli Integrated Portal
Vendor: CVE Published:; 29 July 2014

What is CVE-2014-3020?

The install.sh script used in the Embedded WebSphere Application Server (eWAS) versions prior to FP33 for IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 is improperly configured with world-writable permissions for the installRoot directory tree. This misconfiguration can lead to significant security risks, as it enables local users to exploit this vulnerability through the execution of a Trojan horse program, potentially gaining unauthorized privileges within the system.

References

http://secunia.com/advisories/59687

third-party-advisoryx_refsource_SECUNIA

http://www-01.ibm.com/support/docview.wss?uid=swg21680841

x_refsource_CONFIRM

http://www-01.ibm.com/support/docview.wss?uid=swg21679952

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 29, 2014
Vulnerability Reserved
Apr 29, 2014