製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の EMC Documentum 製品におけるアクセス制限を回避される脆弱性

Title	複数の EMC Documentum 製品におけるアクセス制限を回避される脆弱性
Summary	複数の EMC Documentum 製品には、アクセス制限を回避され、任意の IAPI/IDQL コマンドを実行される脆弱性が存在します。補足情報 : CWE による脆弱性タイプは、CWE-284: Improper Access Control (不適切なアクセス制御) と識別されています。 http://cwe.mitre.org/data/definitions/284.html
Possible impacts	リモート認証されたユーザにより、IAPI/IDQL インターフェースを介して、アクセス制限を回避され、任意の IAPI/IDQL コマンドを実行される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	June 22, 2016, midnight
Registration Date	June 24, 2016, 2:54 p.m.
Last Update	June 24, 2016, 2:54 p.m.

Affected System

DELL EMC (旧 EMC Corporation)

EMC Documentum Administrator 7.2 Patch 13 未満の 7.x

EMC Documentum Capital Projects 1.10 Patch 10 未満の 1.10

EMC Documentum Capital Projects 1.9 Patch 23 未満の 1.9

EMC Documentum TaskSpace 6.7 SP3

EMC Documentum Webtop 6.8 Patch 13 未満の 6.8

EMC Documentum Webtop 6.8.1 Patch 02 未満の 6.8.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-0914	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0914
National Vulnerability Database (NVD)
2	CVE-2016-0914	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0914

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther

ベンダー情報

No	Name	URL
EMC Corporation
1	Documentum	http://japan.emc.com/microsites/japan/documentum/index.htm
2	EMC Documentum Capital Projects	http://japan.emc.com/industry/energy/documentum-capital-projects.htm
3	EMC Documentum Webtop	http://japan.emc.com/enterprise-content-management/documentum-webtop.htm

その他

No	Name	URL
関連文書
1	ESA-2016-069: EMC Documentum WebTop and WebTop Clients Improper Authorization Vulnerability	http://seclists.org/bugtraq/2016/Jun/92

Change Log

No	Changed Details	Date of change
0	[2016年06月24日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-0914

Summary	EMC Documentum WebTop 6.8 before Patch 13 and 6.8.1 before Patch 02, Documentum Administrator 7.x before 7.2 Patch 13, Documentum Capital Projects 1.9 before Patch 23 and 1.10 before Patch 10, and Documentum TaskSpace 6.7 SP3 allow remote authenticated users to bypass intended access restrictions and execute arbitrary IAPI/IDQL commands via the IAPI/IDQL interface.
Publication Date	June 23, 2016, 9:59 a.m.
Registration Date	Jan. 26, 2021, 2:04 p.m.
Last Update	Nov. 21, 2024, 11:42 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:emc:documentum_webtop:6.8.1:::::::*
cpe:2.3:a:emc:documentum_administrator:7.2:::::::*
cpe:2.3:a:emc:documentum_webtop:6.8:::::::*
cpe:2.3:a:emc:documentum_taskspace:6.7:sp3::::::
cpe:2.3:a:emc:documentum_capital_projects:1.10:::::::*
cpe:2.3:a:emc:documentum_administrator:7.1:::::::*
cpe:2.3:a:emc:documentum_capital_projects:1.9:::::::*
cpe:2.3:a:emc:documentum_administrator:7.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://seclists.org/bugtraq/2016/Jun/92	Third Party Advisory VDB Entry
2	http://seclists.org/bugtraq/2016/Jun/92	Third Party Advisory VDB Entry
3	http://www.securitytracker.com/id/1036153	Third Party Advisory VDB Entry
4	http://www.securitytracker.com/id/1036153	Third Party Advisory VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-284	不適切なアクセス制御	https://cwe.mitre.org/data/definitions/284.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:emc:documentum_webtop:6.8.1:::::::*
cpe:2.3:a:emc:documentum_administrator:7.2:::::::*
cpe:2.3:a:emc:documentum_webtop:6.8:::::::*
cpe:2.3:a:emc:documentum_taskspace:6.7:sp3::::::
cpe:2.3:a:emc:documentum_capital_projects:1.10:::::::*
cpe:2.3:a:emc:documentum_administrator:7.1:::::::*
cpe:2.3:a:emc:documentum_capital_projects:1.9:::::::*
cpe:2.3:a:emc:documentum_administrator:7.0:::::::*