Vulnerability CVE-2002-0562 - CERT Civis.Net

Vulnerability Name:

CVE-2002-0562 (CCN-8100)

Assigned:

2002-02-06

Published:

2002-02-06

Updated:

2016-10-18

Summary:

The default configuration of Oracle 9i Application Server 1.0.2.x running Oracle JSP or SQLJSP stores globals.jsa under the web root, which allows remote attackers to gain sensitive information including usernames and passwords via a direct HTTP request to globals.jsa.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2002-0562

Source: MITRE
Type: CNA
CVE-2002-0565

Source: BUGTRAQ
Type: UNKNOWN
20020206 JSP translation file access under Oracle 9iAS

Source: CONFIRM
Type: Patch, Vendor Advisory
http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf

Source: CCN
Type: CERT Advisory CA-2002-08
Multiple vulnerabilities in Oracle Servers

Source: CERT
Type: Patch, Third Party Advisory, US Government Resource
CA-2002-08

Source: CCN
Type: CIAC Information Bulletin M-048
Oracle 9iAS Default Configuration Vulnerability

Source: CCN
Type: US-CERT VU#547459
Oracle 9iAS creates temporary files when processing JSP requests that are world-readable

Source: CCN
Type: US-CERT VU#698467
Oracle 9iAS default configuration allows access to globals.jsa file

Source: CERT-VN
Type: US Government Resource
VU#698467

Source: CCN
Type: NGSSoftware Insight Security Research Advisory #NISR06022002C
OracleJSP

Source: CCN
Type: OSVDB ID: 14895
Oracle _pages Directory Compiled JSP Source Disclosure

Source: CCN
Type: OSVDB ID: 707
Oracle Application Server globals.jsa Database Credential Remote Disclosure

Source: BID
Type: Patch, Vendor Advisory
4034

Source: CCN
Type: BID-4034
Oracle 9IAS OracleJSP Information Disclosure Vulnerability

Source: XF
Type: UNKNOWN
oracle-appserver-oraclejsp-view-info(8100)

Vulnerable Configuration:

Configuration 1:

cpe:/a:oracle:application_server:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_server_web_cache:2.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_server_web_cache:2.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_server_web_cache:2.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_server_web_cache:2.0.0.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:oracle9i:9.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:oracle9i:9.0.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:application_server_web_cache:2.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:database_server:9.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:database_server:9.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_server_web_cache:2.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_server_web_cache:2.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_server_web_cache:2.0.0.3:*:*:*:*:*:*:*

Denotes that component is vulnerable