CVE-2015-4949: Infoleak
First published: Sun Aug 23 2015(Updated: )
IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 7.1 before 7.1.2, Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1 before 7.1.2, and Tivoli Storage FlashCopy Manager 4.1 before 4.1.2 place cleartext passwords in exception messages, which allows physically proximate attackers to obtain sensitive information by reading GUI pop-up windows, a different vulnerability than CVE-2015-6557.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM FlashCopy Manager | =4.1.0 | |
| IBM FlashCopy Manager | =4.1.2 | |
| IBM Tivoli Storage Manager for Databases Data Protection for Microsoft SQL Server | =7.1 | |
| IBM Tivoli Storage Manager for Databases Data Protection for Microsoft SQL Server | =7.2 | |
| IBM Tivoli Storage Manager for Mail Data Protection for Microsoft Exchange Server | =7.1 | |
| IBM Tivoli Storage Manager for Mail Data Protection for Microsoft Exchange Server | =7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2015-4949?
CVE-2015-4949 is classified as a medium severity vulnerability due to the exposure of cleartext passwords in exception messages.
How do I fix CVE-2015-4949?
To fix CVE-2015-4949, upgrade to the latest versions of IBM Tivoli Storage Manager for Databases, Tivoli Storage Manager for Mail, or Tivoli Storage FlashCopy Manager as specified in the product documentation.
Which products are affected by CVE-2015-4949?
CVE-2015-4949 affects IBM Tivoli Storage Manager for Databases, Tivoli Storage Manager for Mail, and Tivoli Storage FlashCopy Manager prior to their specified fixed versions.
What is the impact of CVE-2015-4949?
The impact of CVE-2015-4949 is the potential disclosure of sensitive cleartext passwords that can be exploited by attackers.
Is there a workaround for CVE-2015-4949?
Currently, the recommended solution for CVE-2015-4949 is to apply the security updates rather than relying on a workaround.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ibm
- canonical/ibm flashcopy manager
- version/ibm flashcopy manager/4.1.0
- version/ibm flashcopy manager/4.1.2
- canonical/ibm tivoli storage manager for databases data protection for microsoft sql server
- version/ibm tivoli storage manager for databases data protection for microsoft sql server/7.1
- version/ibm tivoli storage manager for databases data protection for microsoft sql server/7.2
- canonical/ibm tivoli storage manager for mail data protection for microsoft exchange server
- version/ibm tivoli storage manager for mail data protection for microsoft exchange server/7.1
- version/ibm tivoli storage manager for mail data protection for microsoft exchange server/7.2