PatchSiren cyber security CVE debrief

CVE-2015-7494 IBM CVE debrief

CVE-2015-7494 is an authorization weakness in IBM Cloud Orchestrator services/[action]/launch API. According to IBM/NVD, an authenticated domain admin might be able to modify resources in another domain if they can obtain that other domain’s resource identifier. The issue was published on 2017-02-08 and is rated low severity (CVSS 2.8).

Vendor: IBM
Product: CVE-2015-7494
CVSS: LOW 2.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-08
Original CVE updated: 2026-05-13
Advisory published: 2017-02-08
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running IBM Cloud Orchestrator or IBM SmartCloud Orchestrator, especially environments that rely on domain separation and delegate admin privileges. IAM, platform, and operations teams should also care because the flaw involves cross-domain authorization boundaries.

Technical summary

NVD describes the flaw as an authorization control failure (CWE-284) affecting IBM Cloud Orchestrator and SmartCloud Orchestrator versions listed in the CPEs. The vulnerable interface is the services/[action]/launch API. An authenticated domain admin may be able to modify cross-domain resources when they can access another domain’s resource identifier. NVD’s CVSS v3.0 vector is AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N, indicating limited integrity impact, no confidentiality or availability impact, and a requirement for authenticated access and favorable conditions.

Defensive priority

Low, but still actionable in multi-tenant or domain-separated deployments because the flaw can cross authorization boundaries and alter another domain’s resources.

Recommended defensive actions

Apply the IBM patch or vendor guidance referenced in the IBM PSIRT advisory for this issue.
Confirm whether any IBM Cloud Orchestrator 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3, 2.5, 2.5.01, or SmartCloud Orchestrator 2.3 / 2.3.0.1 systems are in use.
Review domain-admin permissions and verify that resource identifiers cannot be used to reach objects outside the intended domain boundary.
Audit logs for unexpected cross-domain modification attempts through the services/[action]/launch API.
Validate any custom integrations or automation that call the launch API to ensure they enforce domain scoping correctly.

Evidence notes

The description, CVSS vector, CWE-284 classification, affected CPEs, and references are all drawn from the supplied NVD-derived source item. IBM PSIRT is referenced as the source for the vendor advisory/patch link, and SecurityFocus is listed as a third-party advisory/VDB entry. The CVE was published on 2017-02-08 and later modified on 2026-05-13; the publication date is the relevant disclosure timing for this debrief.

Official resources

CVE-2015-7494 CVE record
CVE.org
CVE-2015-7494 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Publicly disclosed in the CVE/NVD record on 2017-02-08, with IBM PSIRT vendor advisory and patch reference listed in the record.