search menu icon-carat-right cmu-wordmark

CERT Coordination Center

IBM Lotus Notes sets insecure default permissions on program data

Vulnerability Note VU#383092

Original Release Date: 2006-10-20 | Last Revised: 2006-10-20


IBM Lotus Notes sets insecure default permissions on the Notes directory. This vulnerability may allow a local attacker to gain unintended access to Lotus Notes program data.


IBM Lotus Notes installs numerous program files and program data in a special directory known as the Notes directory. According to IBM Technote #21246773:

By default, beginning with Notes 6.5.4 and affecting 6.5.5, 7.0 and 7.0.1, "Full Control" access (read/write/execute) to the Notes program and data directory is granted to the Windows group "Everyone".


A local attacker may be able to gain unintended access to Lotus Notes program data.


Upgrade to unaffected versions of Lotus Notes

Lotus Notes versions 6.5.6 and 7.0.2 are reportedly not affected by this issue.

Workarounds to mitigate this vulnerability can be found in IBM Technote #21246773

Vendor Information


Lotus Software Affected

Updated:  October 20, 2006



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Refer to

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This issue was reported by Carsten Eiram of Secunia Research.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2005-2454
Severity Metric: 1.39
Date Public: 2006-10-18
Date First Published: 2006-10-20
Date Last Updated: 2006-10-20 15:38 UTC
Document Revision: 31

Sponsored by CISA.