{"vuid":"VU#383092","idnumber":"383092","name":"IBM Lotus Notes sets insecure default permissions on program data","keywords":["IBM","Lotus","Notes","insecure default permissions","notes directory"],"overview":"IBM Lotus Notes sets insecure default permissions on the Notes directory. This vulnerability may allow a local attacker to gain unintended access to Lotus Notes program data.","clean_desc":"IBM Lotus Notes installs numerous program files and program data in a special directory known as the Notes directory. According to IBM Technote #21246773: By default, beginning with Notes 6.5.4 and affecting 6.5.5, 7.0 and 7.0.1, \"Full Control\" access (read/write/execute) to the Notes program and data directory is granted to the Windows group \"Everyone\".","impact":"A local attacker may be able to gain unintended access to Lotus Notes program data.","resolution":"Upgrade to unaffected versions of Lotus Notes\nLotus Notes versions 6.5.6 and 7.0.2 are reportedly not affected by this issue.","workarounds":"Workarounds to mitigate this vulnerability can be found in IBM Technote #21246773.","sysaffected":"","thanks":"This issue was reported by \nCarsten Eiram of Secunia Research.","author":"This document was written by Jeff Gennari.","public":["http://secunia.com/secunia_research/2005-29/","http://secunia.com/advisories/19537/","http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21246773"],"cveids":["CVE-2005-2454"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-10-19T20:20:16Z","publicdate":"2006-10-18T00:00:00Z","datefirstpublished":"2006-10-20T11:42:56Z","dateupdated":"2006-10-20T15:38:39Z","revision":31,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"8","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"9","cam_impact":"5","cam_easeofexploitation":"15","cam_attackeraccessrequired":"10","cam_scorecurrent":"1.3921875","cam_scorecurrentwidelyknown":"2.9109375","cam_scorecurrentwidelyknownexploited":"5.4421875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":1.3921875,"vulnote":null}