CVE-2015-7494

Description

A vulnerability has been identified in IBM Cloud Orchestrator services/[action]/launch API. An authenticated domain admin user might modify cross domain resources via a /services/[action]/launch API call, provided it would have been possible for the domain admin user to gain access to a resource identifier of the other domain.

Affected products

• IBM Corporation / Cloud Orchestrator2.2 – 2.2
• IBM Corporation / Cloud Orchestrator2.2.0.1 – 2.2.0.1
• IBM Corporation / Cloud Orchestrator2.3 – 2.3
• IBM Corporation / Cloud Orchestrator2.4 – 2.4
• IBM Corporation / Cloud Orchestrator2.3.0.1 – 2.3.0.1
• IBM Corporation / Cloud Orchestrator2.4.0.1 – 2.4.0.1
• IBM Corporation / Cloud Orchestrator2.4.0.2 – 2.4.0.2
• IBM Corporation / Cloud Orchestrator2.5 – 2.5
• IBM Corporation / Cloud Orchestrator2.5.0.1 – 2.5.0.1
• IBM Corporation / Cloud Orchestrator2.4.0.3 – 2.4.0.3
• IBM Corporation / Cloud Orchestrator2.5.0.2 – 2.5.0.2

References

• MISChttp://www.ibm.com/support/docview.wss?uid=swg2C1000140
• MISChttp://www.securityfocus.com/bid/94438