Executive Summary

Title IBM WebSphere Portal Server input validation vulnerability
Name VU#375127 First vendor Publication 2011-02-23
Vendor VU-CERT Last vendor Modification 2011-02-23
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#375127

IBM WebSphere Portal Server input validation vulnerability


IBM WebSphere Portal Server does not validate entry path inputted data.

I. Description

From the IBM Portal website: "IBM WebSphere Portal software provides a composite application or business mashup framework and the advanced tooling needed to build flexible, SOA-based solutions, as well as the unmatched scalability required by any size organization." IBM WebSphere Portal Server is vulnerable to data leakage caused by missing input validation on inputted entry path transmitted via XML.

II. Impact

An attacker with valid login credentials could leverage this vulnerability to retrieve system information, such as /etc/passwd.

III. Solution

Apply an update

According to IBM's website patches have been issued to address this vulnerability.
Restrict access

Restrict network access to the IBM WebSphere Portal software and other devices using open protocols like HTTP.

Vendor Information

VendorStatusDate NotifiedDate Updated
IBM CorporationAffected2010-11-012011-01-21




Thanks to Peter Brauchle from Daimler TSS Technical Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:2011-01-20
Date First Published:2011-02-23
Date Last Updated:2011-02-23
CERT Advisory: 
US-CERT Technical Alerts: 
Severity Metric:3.60
Document Revision:28

Original Source

Url : http://www.kb.cert.org/vuls/id/375127

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

CPE : Common Platform Enumeration

Application 13

Open Source Vulnerability Database (OSVDB)

Id Description
70688 IBM WebSphere Portal Modified Message Unspecified Information Disclosure

IBM WebSphere Portal contains an unspecified flaw that may allow an attacker to use a crafted message to disclose certain information. No further details have been provided.