Cross-Domain Resource Manipulation in IBM Cloud Orchestrator
CVE-2015-7494

2.8LOW

Key Information:

Vendor: IBM
Status: Cloud Orchestrator
Vendor: CVE Published:; 8 February 2017

Summary

A vulnerability has been discovered in IBM Cloud Orchestrator that allows an authenticated domain admin user to exploit the /services/[action]/launch API. This flaw enables the user to manipulate cross-domain resources, given that they possess access to the resource identifier from a different domain. Such permissions can lead to unauthorized access or alterations of sensitive resources, increasing potential security risks. Proper access controls and validations are essential to mitigate this vulnerability.

Affected Version(s)

Cloud Orchestrator 2.2

Cloud Orchestrator 2.2.0.1

Cloud Orchestrator 2.3

References

http://www.ibm.com/support/docview.wss?uid=swg2C1000140

x_refsource_CONFIRM

http://www.securityfocus.com/bid/94438

vdb-entryx_refsource_BID

CVSS V3.1

Score:

2.8

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Feb 8, 2017
Vulnerability Reserved
Sep 29, 2015