Information disclosure in IBM WebSphere Application Server

Published: 2017-10-31 16:09:43
Severity Low
Patch available YES
Number of vulnerabilities 2
CVSSv2 3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE ID CVE-2017-1583
CVE-2011-4343
CWE ID CWE-388
CWE-200
Exploitation vector Network
Public exploit Not available
Vulnerable software IBM WebSphere Application Server
Vulnerable software versions IBM WebSphere Application Server 8.0.0.14
IBM WebSphere Application Server 8.0.0.13
IBM WebSphere Application Server 8.0.0.12
Show more
Vendor URL IBM Corporation
Advisory type Public

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote attacker to obtain sensitive information.

The weakness exists due to improper error handling by MyFaces in JSF. A remote attacker can read arbitrary data on the target system.

Remediation

Update to version 8.0.0.15 or 8.5.5.13.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22008707

2) Information disclosure

Description

The vulnerability allows a remote attacker to obtain sensitive information.

The weakness exists due to an error in Apache MyFaces. A remote attacker can use specially crafted parameters to inject EL expressions into input fields mapped as view parameters and obtain sensitive information.

Remediation

Update to version 8.0.0.15 or 8.5.5.13.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22008707

Back to List