Improper access control in IBM Tivoli System Automation Application Manager
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2014-7810 |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
IBM Tivoli System Automation Application Manager Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Improper access control
EUVDB-ID: #VU64583
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-7810
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to Expression Language (EL) implementation in Apache Tomcat does not properly consider the possibility of an accessible interface implemented by an inaccessible class. A remote attacker can bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Tivoli System Automation Application Manager: 4.1.0.0 - 4.1.0.1
External linkshttp://www.ibm.com/support/pages/node/739953
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
