CVE-2016-3028

high-risk

Published 2016-11-25

IBM Security Access Manager for Web 7.0 before IF2 and 8.0 before 8.0.1.4 IF3 and Security Access Manager 9.0 before 9.0.1.0 IF5 allow remote authenticated users to execute arbitrary commands by leveraging LMI admin access.

Do I need to act?

-

0.57% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

9

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (12)

Security Access Manager

Security Access Manager

Security Access Manager

Security Access Manager For Web

Security Access Manager For Web

Security Access Manager For Web

Security Access Manager For Web

Security Access Manager For Web

Security Access Manager For Web

Security Access Manager For Web

Security Access Manager For Web

Security Access Manager For Web

Affected Vendors

Ibm

References (10)

Broken Link http://www-01.ibm.com/support/docview.wss?uid=swg1IV89257

Broken Link http://www-01.ibm.com/support/docview.wss?uid=swg1IV89322

Broken Link http://www-01.ibm.com/support/docview.wss?uid=swg1IV89326

Vendor Advisory http://www-01.ibm.com/support/docview.wss?uid=swg21990317

http://www.securityfocus.com/bid/93176

Broken Link http://www-01.ibm.com/support/docview.wss?uid=swg1IV89257

Broken Link http://www-01.ibm.com/support/docview.wss?uid=swg1IV89322

Broken Link http://www-01.ibm.com/support/docview.wss?uid=swg1IV89326

Vendor Advisory http://www-01.ibm.com/support/docview.wss?uid=swg21990317

http://www.securityfocus.com/bid/93176

50

/ 100

high-risk

Severity 31/34 · Critical

Exploitability 2/34 · Minimal

Exposure 17/34 · Moderate