IBM Rational ClearQuest Input Validation Flaw in Maintenance Tool Lets Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1027060 |
|
SecurityTracker URL: http://securitytracker.com/id/1027060
|
|
CVE Reference:
CVE-2011-1390
(Links to External Site)
|
Date: May 11 2012
|
Impact:
Disclosure of system information, Disclosure of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.1.x, 8.0, 8.0.0.1
|
Description:
A vulnerability was reported in IBM Rational ClearQuest. A remote user can inject SQL commands.
The Maintenance tool does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.
Jan Kaestle of Siemens AG reported this vulnerability.
|
Impact:
A remote user can execute SQL commands on the underlying database.
|
Solution:
The vendor has issued a fix (7.1.1.9, 7.1.2.6, 8.0.0.2).
The vendor's advisory is available at:
http://www-01.ibm.com/support/docview.wss?uid=swg21594717
|
Vendor URL: www-01.ibm.com/support/docview.wss?uid=swg21594717 (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 11 May 2012 18:06:35 +0000
Subject: IBM Rational ClearQuest Maintenance tool
|
http://www.ibm.com/support/docview.wss?uid=swg21594717
CVE-2011-1390
|
|
