Vulnerability Name:

CVE-2005-4833 (CCN-33025)

Assigned:2005-12-31
Published:2005-12-31
Updated:2011-03-08
Summary:IBM WebSphere Application Server (WAS) 6.0 before 20050201, when serving pages in an Application WAR or an Extended Document Root, allows remote attackers to obtain the JSP source code and other sensitive information via "a specific JSP URL," related to lack of normalization of the URL format.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2005-4833

Source: MITRE
Type: CNA
CVE-2005-4834

Source: MITRE
Type: CNA
CVE-2006-7165

Source: MITRE
Type: CNA
CVE-2006-7166

Source: OSVDB
Type: UNKNOWN
34177

Source: CCN
Type: SA24478
IBM WebSphere Application Server JSP Source Code Disclosure

Source: SECUNIA
Type: Vendor Advisory
24478

Source: CCN
Type: IBM Security Bulletin 1243541
Possible security exposure with JavaServer Page (JSP) and IBM WebSphere Application Server

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-1.ibm.com/support/docview.wss?uid=swg21243541

Source: AIXAPAR
Type: Patch, Vendor Advisory
PK00091

Source: CCN
Type: OSVDB ID: 34177
IBM WebSphere Application Server (WAS) Crafted URL JSP Source Disclosure (PK00091)

Source: CCN
Type: OSVDB ID: 41608
IBM WebSphere Application Server (WAS) Special URI Unspecified Information Disclosure

Source: CCN
Type: OSVDB ID: 41609
IBM WebSphere Application Server (WAS) Specific JSP URL Information Disclosure (PK20181)

Source: BID
Type: UNKNOWN
22991

Source: CCN
Type: BID-22991
IBM WebSphere Application Server Source Code Disclosure Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2007-0970

Source: XF
Type: UNKNOWN
websphere-jspwarroot-source-disclosure(33025)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:websphere_application_server:6.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:websphere_application_server:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:5.1.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:ibm:i5os:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm websphere application server 6.0
    ibm websphere application server 5.0
    ibm websphere application server 6.0
    ibm websphere application server 6.1
    ibm websphere application server 5.1.0
    ibm i5os *