Vulnerability CVE-2008-5549 - CERT Civis.Net

Vulnerability Name:

CVE-2008-5549 (CCN-47256)

Assigned:

2008-12-05

Published:

2008-12-05

Updated:

2017-08-08

Summary:

Unspecified vulnerability in the Sun Java Web Console components in Sun Java System Portal Server 7.1 and 7.2 allows remote attackers to access local files and read the product's configuration information via unknown vectors related to "access to secure files by ThemeServlet."

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-noinfo
CWE-264

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2008-5549

Source: CCN
Type: SA33120
Sun Java System Portal Server File Disclosure Vulnerability

Source: SECUNIA
Type: Vendor Advisory
33120

Source: CCN
Type: SECTRACK ID: 1021380
Sun Java System Portal Server Discloses Certain Files to Remote Users

Source: SECTRACK
Type: UNKNOWN
1021380

Source: CONFIRM
Type: Patch, Vendor Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-21-124301-12-1

Source: CONFIRM
Type: Patch, Vendor Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-21-138686-01-1

Source: SUNALERT
Type: Vendor Advisory
243886

Source: CCN
Type: Sun Alert ID: 243886
Security Vulnerability Related to Sun Java System Portal Server May Allow Information Disclosure

Source: CCN
Type: ASA-2008-483
Security Vulnerability Related to Sun Java System Portal Server May Allow Information Disclosure (Sun 243886)

Source: CCN
Type: OSVDB ID: 50695
Sun Java System Portal Server Unspecified Information Disclosure

Source: BID
Type: UNKNOWN
32770

Source: CCN
Type: BID-32770
Sun Java System Portal Server Web Console Information Disclosure Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2008-3408

Source: XF
Type: UNKNOWN
jsps-webconsole-information-disclosure(47256)

Source: XF
Type: UNKNOWN
jsps-webconsole-information-disclosure(47256)

Vulnerable Configuration:

Configuration 1:

cpe:/a:sun:java_system_portal_server:7.1:*:*:*:*:*:*:*

OR cpe:/a:sun:java_system_portal_server:7.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:sun:java_system_portal_server:7.1:*:*:*:*:*:*:*

OR cpe:/a:sun:java_system_portal_server:7.2:*:*:*:*:*:*:*

AND

cpe:/o:sun:solaris:8::x86:*:*:*:*:*

OR cpe:/o:sun:solaris:8::sparc:*:*:*:*:*

OR cpe:/o:sun:solaris:9::x86:*:*:*:*:*

OR cpe:/o:sun:solaris:10::sparc:*:*:*:*:*

OR cpe:/o:sun:solaris:10::x86:*:*:*:*:*

OR cpe:/o:sun:solaris:9::sparc:*:*:*:*:*

Denotes that component is vulnerable