A vulnerability classified as problematic was found in IBM TRIRIGA Application Platform up to 3.3.2.5/3.4.2.2/3.5.0.0 (Service Management Software). Affected by this vulnerability is some unknown functionality of the component Database Query Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality. The summary by CVE is:

IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote attackers to obtain sensitive information via vectors involving a database query. IBM X-Force ID: 111382.

The bug was discovered 04/20/2016. The weakness was released 02/28/2018 (Website). The advisory is shared at exchange.xforce.ibmcloud.com. This vulnerability is known as CVE-2016-0299 since 12/08/2015. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

The vulnerability was handled as a non-public zero-day exploit for at least 679 days. During that time the estimated underground price was around $5k-$25k.

Upgrading to version 3.3.2.6, 3.4.2.3 or 3.5.0.1 eliminates this vulnerability.

Productinfo

Type

• Service Management Software

Vendor

• IBM

Name

• TRIRIGA Application Platform

Version

• 3.3.2.0
• 3.3.2.1
• 3.3.2.2
• 3.3.2.3
• 3.3.2.4
• 3.3.2.5
• 3.4.2.0
• 3.4.2.1
• 3.4.2.2
• 3.5.0

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion