Overview
IBM Lotus Notes sets insecure default permissions on the Notes directory. This vulnerability may allow a local attacker to gain unintended access to Lotus Notes program data.
Description
IBM Lotus Notes installs numerous program files and program data in a special directory known as the Notes directory. According to IBM Technote #21246773: By default, beginning with Notes 6.5.4 and affecting 6.5.5, 7.0 and 7.0.1, "Full Control" access (read/write/execute) to the Notes program and data directory is granted to the Windows group "Everyone". |
Impact
A local attacker may be able to gain unintended access to Lotus Notes program data. |
Solution
Upgrade to unaffected versions of Lotus Notes Lotus Notes versions 6.5.6 and 7.0.2 are reportedly not affected by this issue. |
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This issue was reported by Carsten Eiram of Secunia Research.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2005-2454 |
| Severity Metric: | 1.39 |
| Date Public: | 2006-10-18 |
| Date First Published: | 2006-10-20 |
| Date Last Updated: | 2006-10-20 15:38 UTC |
| Document Revision: | 31 |