IBM Tivoli Storage Manager Client Symlink Cross-User Information Disclosure

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

A client application installed on the remote Linux host is affected by
a local information disclosure vulnerability.

Description :

The version of IBM Tivoli Storage Manager Client installed on the
remote Linux host is 5.5.x prior to 6.3.2.6, 6.4.x prior to 6.4.3.3,
or 7.1.x prior to 7.1.6. It is, therefore, affected by an information
disclosure vulnerability due to creating temporary files insecurely. A
local attacker can exploit this, via a symlink created during archive
and retrieve actions, to disclose data from arbitrary accounts.

See also :

http://www-01.ibm.com/support/docview.wss?uid=swg21985579

Solution :

Upgrade to Tivoli Storage Manager Client version 6.3.2.6 / 6.4.3.3 /
7.1.6 or later.

Risk factor :

Low / CVSS Base Score : 1.9
(CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 1.6
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 91981 ()

Bugtraq ID: 91534

CVE ID: CVE-2016-2894

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now