CVE-2013-3976 : The (1) Data Protection for Exchange component 6.1 before 6.1.3.4 and 6.3 before 6.3.1 in IBM Tivoli Storage Manager for

The (1) Data Protection for Exchange component 6.1 before 6.1.3.4 and 6.3 before 6.3.1 in IBM Tivoli Storage Manager for Mail and the (2) FlashCopy Manager for Exchange component 2.2 and 3.1 before 3.1.1 in IBM Tivoli Storage FlashCopy Manager do not properly constrain mailbox contents during certain PST restore operations, which allows remote authenticated users to read the personal e-mail of other users in opportunistic circumstances by launching an e-mail client after an administrator performs a multiple-mailbox restore.

Published 2014-03-26 10:55:05

Updated 2017-08-29 01:33:31

Source IBM Corporation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2013-3976

Probability of exploitation activity in the next 30 days: 0.12%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 44 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-3976

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:N/AC:H/Au:S/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2013-3976

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-3976

http://www-01.ibm.com/support/docview.wss?uid=swg1IC81223

IBM IC81223: MAILBOX DATA IS SAVED TO THE WRONG .PST FILE WHEN RESTORING MULTIPLE MAILBOXES TO .PST FILES IN ONE COMMAND.
http://www-01.ibm.com/support/docview.wss?uid=swg21644407

IBM Security Bulletin: Possibility for Accidental Disclosure of Microsoft Exchange Mailboxes to Unauthorized Users (CVE-2013-3976)
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/84881

IBM Tivoli Storage Manager for Mail mailbox restore information disclosure CVE-2013-3976 Vulnerability Report

Products affected by CVE-2013-3976

IBM » Tivoli Storage Manager For Mail » Version: N/A
cpe:2.3:a:ibm:tivoli_storage_manager_for_mail:-:*:*:*:*:*:*:*
Matching versions
IBM » Data Protection » Version: 6.3 For Exchange Server
cpe:2.3:a:ibm:data_protection:6.3:*:*:*:*:exchange_server:*:*
Matching versions
IBM » Data Protection » Version: 6.1 For Exchange Server
cpe:2.3:a:ibm:data_protection:6.1:*:*:*:*:exchange_server:*:*
Matching versions
IBM » Tivoli Storage Flashcopy Manager » Version: N/A
cpe:2.3:a:ibm:tivoli_storage_flashcopy_manager:-:*:*:*:*:*:*:*
Matching versions
IBM » Flashcopy Manager » Version: 2.2 For Exchange Server
cpe:2.3:a:ibm:flashcopy_manager:2.2:*:*:*:*:exchange_server:*:*
Matching versions
IBM » Flashcopy Manager » Version: 3.1 For Exchange Server
cpe:2.3:a:ibm:flashcopy_manager:3.1:*:*:*:*:exchange_server:*:*
Matching versions
IBM » Flashcopy Manager » Version: 2.1 For Exchange Server
cpe:2.3:a:ibm:flashcopy_manager:2.1:*:*:*:*:exchange_server:*:*
Matching versions

Vulnerability Details : CVE-2013-3976

Exploit prediction scoring system (EPSS) score for CVE-2013-3976

CVSS scores for CVE-2013-3976

CWE ids for CVE-2013-3976

References for CVE-2013-3976

Products affected by CVE-2013-3976