A vulnerability was found in IBM Maximo Asset Management up to 7.1.1.10 (Asset Management Software). It has been rated as problematic. Using CWE to declare the problem leads to CWE-93. The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. Impacted is integrity. The summary by CVE is:

CRLF injection vulnerability in IBM Maximo Asset Management 7.x before 7.5.0.6 and SmartCloud Control Desk 7.x before 7.5.0.3 and 7.5.1.x before 7.5.1.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter in a URL.

The weakness was presented 05/26/2014 (Website). It is possible to read the advisory at www-01.ibm.com. The identification of this vulnerability is CVE-2012-3333 since 06/07/2012. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 7.1.1.11 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (78145). See VDB-69814, VDB-69813, VDB-69812 and VDB-69811 for similar entries. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Asset Management Software

Vendor

• IBM

Name

• Maximo Asset Management

Version

• 7.1.1.0
• 7.1.1.1
• 7.1.1.2
• 7.1.1.3
• 7.1.1.4
• 7.1.1.5
• 7.1.1.6
• 7.1.1.7
• 7.1.1.8
• 7.1.1.9
• 7.1.1.10

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion