Executive Summary
Summary | |
---|---|
Title | IBM WebSphere Portal Server input validation vulnerability |
Informations | |||
---|---|---|---|
Name | VU#375127 | First vendor Publication | 2011-02-23 |
Vendor | VU-CERT | Last vendor Modification | 2011-02-23 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#375127IBM WebSphere Portal Server input validation vulnerabilityOverviewIBM WebSphere Portal Server does not validate entry path inputted data.I. DescriptionFrom the IBM Portal website: "IBM WebSphere Portal software provides a composite application or business mashup framework and the advanced tooling needed to build flexible, SOA-based solutions, as well as the unmatched scalability required by any size organization." IBM WebSphere Portal Server is vulnerable to data leakage caused by missing input validation on inputted entry path transmitted via XML.II. ImpactAn attacker with valid login credentials could leverage this vulnerability to retrieve system information, such as /etc/passwd.III. SolutionApply an updateAccording to IBM's website patches have been issued to address this vulnerability.
Referenceshttp://www.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?apar=PM25698&productid=WebSphere%20Portal&brandid=5 Thanks to Peter Brauchle from Daimler TSS Technical Security for reporting this vulnerability. This document was written by Michael Orlando.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/375127 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
70688 | IBM WebSphere Portal Modified Message Unspecified Information Disclosure IBM WebSphere Portal contains an unspecified flaw that may allow an attacker to use a crafted message to disclose certain information. No further details have been provided. |