CVE-2016-2894

LOW

IBM Spectrum Protect 5.5-6.3 < 6.3.2.6, 6.4 < 6.4.3.3, 7.1 < 7.1.6 - Unauthorized Sensitive Data Exposure via Symlink

Title source: llm
STIX 2.1

Description

IBM Spectrum Protect (formerly Tivoli Storage Manager) 5.5 through 6.3 before 6.3.2.6, 6.4 before 6.4.3.3, and 7.1 before 7.1.6 allows local users to obtain sensitive retrieved data from arbitrary accounts in opportunistic circumstances by leveraging previous use of a symlink during archive and retrieve actions.

References (4)

Core 4
Core References
Vendor Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21985579
Various Sources vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1IT13686
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91534
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036220

Scores

CVSS v3 2.5
EPSS 0.0030
EPSS Percentile 22.2%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (50)
ibm/tivoli_storage_manager 5.5
ibm/tivoli_storage_manager 5.5.0
ibm/tivoli_storage_manager 5.5.2
ibm/tivoli_storage_manager 5.5.3
ibm/tivoli_storage_manager 5.5.4
ibm/tivoli_storage_manager 5.5.4.1
ibm/tivoli_storage_manager 5.5.4.2
ibm/tivoli_storage_manager 5.5.4.3
ibm/tivoli_storage_manager 6.1
ibm/tivoli_storage_manager 6.1.0
... and 40 more
Published Jul 03, 2016
Tracked Since Feb 18, 2026