VYPR
← All advisories
Low severity3.7NVD Advisory· Published Feb 15, 2016· Updated May 6, 2026

CVE-2015-7408

CVE-2015-7408

Description

The server in IBM Spectrum Protect (aka Tivoli Storage Manager) 5.5 and 6.x before 6.3.5.1 and 7.x before 7.1.4 does not properly restrict use of the ASNODENAME option, which allows remote attackers to read or write to backup data by leveraging proxy authority.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM Spectrum Protect (TSM) server fails to properly check ASNODENAME proxy authority, allowing unauthorized backup data access.

Vulnerability

The IBM Spectrum Protect (formerly Tivoli Storage Manager) server fails to properly restrict the use of the ASNODENAME option. This option allows a client session to run as a proxy for another client to which the user has been granted proxy authority. The server does not adequately check the authorization of sessions using this option, causing them to run as fully authorized sessions. Affected versions include 5.5, 6.x before 6.3.5.1, and 7.x before 7.1.4 [1][2].

Exploitation

An attacker with network access to the server and proxy authority to another client can use the ASNODENAME option to impersonate that client. The attacker then initiates a session that the server treats as authorized, bypassing the intended access controls [1].

Impact

Successful exploitation allows the attacker to read or write backup data belonging to the impersonated client, leading to unauthorized disclosure or modification of backup data. The CVSS v3 base score is 3.7 (Low) with a vector of AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N [1].

Mitigation

IBM has fixed this vulnerability in Tivoli Storage Manager server versions 7.1.4 and 6.3.5.1. Users on earlier versions should upgrade to these or later releases. For other affected levels, contact IBM support to obtain the appropriate fix. The APAR number is IT13609 [1][2].

References
  1. Security Bulletin: IBM Tivoli Storage Manager ASNODENAME Vulnerability (CVE-2015-7408)
  2. IT13609: UNAUTHORIZED TIVOLI STORAGE MANAGER CLIENT SESSIONS USING ASNODENAME OPTION MAY RUN AS AUTHORIZED SESSIONS.

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11
  • IBM/Tivoli Storage Manager10 versions
    cpe:2.3:a:ibm:tivoli_storage_manager:5.5.0.0:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:ibm:tivoli_storage_manager:5.5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:tivoli_storage_manager:6.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:tivoli_storage_manager:6.2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:tivoli_storage_manager:6.3.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:tivoli_storage_manager:6.3.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:tivoli_storage_manager:6.3.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:tivoli_storage_manager:7.1.0.3:*:*:*:*:*:*:*
  • IBM/Spectrum Protectllm-fuzzy
    Range: >=5.5, <=6.3.5.0, >=7.0.0, <=7.1.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.