#VU41636 Input validation error in WebSphere Portal - CVE-2014-0954

Cybersecurity Help s.r.o.

Published: 2014-05-22 | Updated: 2020-08-10

Vulnerability identifier: #VU41636

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-0954

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
WebSphere Portal
Server applications / Application servers

Vendor: IBM Corporation

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF28, and 8.0 before 8.0.0.1 CF12 does not validate JSP includes, which allows remote attackers to obtain sensitive information, bypass intended request-dispatcher access restrictions, or cause a denial of service (memory consumption) via a crafted URL.

Mitigation
Install update from vendor's website.

Vulnerable software versions

WebSphere Portal: 6.1.0.0 - 8.0.0.1

External links
https://www-01.ibm.com/support/docview.wss?uid=swg1PI15723
https://www-01.ibm.com/support/docview.wss?uid=swg21672572
https://exchange.xforce.ibmcloud.com/vulnerabilities/92627

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM WebSphere Portal