CVE-2013-6334

EUVD-2013-6160

10.01.2014, 12:02

IBM Atlas eDiscovery Process Management 6.0.1.5 and earlier and 6.0.2, Disposal and Governance Management for IT 6.0.1.5 and earlier and 6.0.2, and Global Retention Policy and Schedule Management 6.0.1.5 and earlier and 6.0.2 in IBM Atlas Suite (aka Atlas Policy Suite) do not properly validate sessions, which allows remote attackers to bypass intended access restrictions, and visit PolicyAtlas/ResponseDraftServlet (aka the Compliance Questionnaire Save Draft servlet), via unspecified vectors.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.4 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:P/I:P/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Affected Products (NVD)

Vendor	Product	Version
ibm	atlas_ediscovery_process_management	𝑥 ≤ 6.0.1.5
ibm	atlas_ediscovery_process_management	6.0.2
ibm	atlas_suite	-
ibm	disposal_and_governance_management_for_it	𝑥 ≤ 6.0.1.5
ibm	disposal_and_governance_management_for_it	6.0.2
ibm	global_retention_policy_and_schedule_management	𝑥 ≤ 6.0.1.5
ibm	global_retention_policy_and_schedule_management	6.0.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://osvdb.org/show/osvdb/101855

http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_atlas_suite_atlas_policy_suite_sql_injection_vulnerability_cve_2013_6321_and_access_control_vulnerability_cve_2013_6334

http://www.securityfocus.com/bid/64751

http://osvdb.org/show/osvdb/101855

http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_atlas_suite_atlas_policy_suite_sql_injection_vulnerability_cve_2013_6321_and_access_control_vulnerability_cve_2013_6334

http://www.securityfocus.com/bid/64751