Vulnerability CVE-2005-4834 - CERT Civis.Net

Vulnerability Name:

CVE-2005-4834 (CCN-33025)

Assigned:

2005-12-31

Published:

2005-12-31

Updated:

2011-03-08

Summary:

IBM WebSphere Application Server (WAS) 5.0.2.5 through 5.1.1.3 allows remote attackers to obtain JSP source code and other sensitive information, related to incorrect request processing by the web container.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2005-4833

Source: MITRE
Type: CNA
CVE-2005-4834

Source: MITRE
Type: CNA
CVE-2006-7165

Source: MITRE
Type: CNA
CVE-2006-7166

Source: CCN
Type: SA24478
IBM WebSphere Application Server JSP Source Code Disclosure

Source: SECUNIA
Type: Vendor Advisory
24478

Source: CCN
Type: IBM Security Bulletin 1243541
Possible security exposure with JavaServer Page (JSP) and IBM WebSphere Application Server

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-1.ibm.com/support/docview.wss?uid=swg21243541

Source: AIXAPAR
Type: Patch, Vendor Advisory
PQ99537

Source: AIXAPAR
Type: Patch, Vendor Advisory
PK28963

Source: CCN
Type: OSVDB ID: 34177
IBM WebSphere Application Server (WAS) Crafted URL JSP Source Disclosure (PK00091)

Source: CCN
Type: OSVDB ID: 41608
IBM WebSphere Application Server (WAS) Special URI Unspecified Information Disclosure

Source: CCN
Type: OSVDB ID: 41609
IBM WebSphere Application Server (WAS) Specific JSP URL Information Disclosure (PK20181)

Source: BID
Type: UNKNOWN
22991

Source: CCN
Type: BID-22991
IBM WebSphere Application Server Source Code Disclosure Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2007-0970

Source: XF
Type: UNKNOWN
websphere-jspwarroot-source-disclosure(33025)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:websphere_application_server:5.0.2.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.3:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:websphere_application_server:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.0:*:*:*:*:*:*:*

AND

cpe:/o:ibm:i5os:*:*:*:*:*:*:*:*

Denotes that component is vulnerable