#VU27698 Improper access control in Sun ONE/iPlanet Web Server
Vulnerability identifier: #VU27698
Vulnerability risk: Medium
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Sun ONE/iPlanet Web Server
Server applications /
Web servers
Vendor: Sun
Description
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions within admingui/version URIs in the Administration console. A remote attacker can send a specially crafted request and read the encryption keys
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Note, this product is no longer supported by the vendor.
Vulnerable software versions
Sun ONE/iPlanet Web Server: 7.0
External links
http://www.oracle.com/support/lifetime-support/
http://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf
http://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
