World-Writable Permissions in IBM Tivoli Integrated Portal Affecting eWAS
CVE-2014-3020

Currently unrated

Key Information:

Vendor: IBM
Status: Embedded Websphere Application Server; Tivoli Integrated Portal
Vendor: CVE Published:; 29 July 2014

Summary

The install.sh script used in the Embedded WebSphere Application Server (eWAS) versions prior to FP33 for IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 is improperly configured with world-writable permissions for the installRoot directory tree. This misconfiguration can lead to significant security risks, as it enables local users to exploit this vulnerability through the execution of a Trojan horse program, potentially gaining unauthorized privileges within the system.

References

http://secunia.com/advisories/59687

third-party-advisoryx_refsource_SECUNIA

http://www-01.ibm.com/support/docview.wss?uid=swg21680841

x_refsource_CONFIRM

http://www-01.ibm.com/support/docview.wss?uid=swg21679952

x_refsource_CONFIRM

Timeline

Vulnerability published
Jul 29, 2014
Vulnerability Reserved
Apr 29, 2014