Vulnerability Name:

CVE-2010-2325 (CCN-56625)

Assigned:2010-03-02
Published:2010-03-02
Updated:2010-06-24
Summary:Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Obtain Information
References:Source: CCN
Type: Sun Security Blog, 29 Apr 2011
Multiple Vulnerabilities in the Apache 2 HTTP Server Prior to 2.2.16

Source: MITRE
Type: CNA
CVE-2010-0434

Source: MITRE
Type: CNA
CVE-2010-2325

Source: CCN
Type: Apache Web Site
Apache httpd 2.2 vulnerabilities

Source: CCN
Type: RHSA-2010-0168
Moderate: httpd security and enhancement update

Source: CCN
Type: RHSA-2010-0175
Low: httpd security, bug fix, and enhancement update

Source: CCN
Type: RHSA-2010-0396
Moderate: httpd and httpd22 security and enhancement update

Source: CCN
Type: RHSA-2010-0602
Moderate: Red Hat Certificate System 7.3 security update

Source: CCN
Type: SA39081
IBM OS/400 HTTP Server Information Disclosure Vulnerability

Source: CCN
Type: SA39628
IBM WebSphere Application Server for z/OS Multiple Vulnerabilities

Source: CCN
Type: SA40096
IBM WebSphere Application Server for z/OS Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
40096

Source: CCN
Type: SA40732
Interstage HTTP Server Multiple Vulnerabilities

Source: CCN
Type: SA40859
Red Hat Update for Multiple Packages

Source: CCN
Type: SA41607
VMware ACE Management Server (AMS) Two Vulnerabilities

Source: CCN
Type: SA44443
Oracle Solaris Apache HTTP Server Multiple Vulnerabilities

Source: CCN
Type: SA46041
Blue Coat Director Multiple Vulnerabilities

Source: CCN
Type: SA54225
Oracle HTTP Server Multiple Vulnerabilities

Source: CCN
Type: IBM APAR SE42335
HTTPSVR - Patch Apache Vulnerability CVE 2010 0434

Source: AIXAPAR
Type: UNKNOWN
PM11778

Source: CCN
Type: IBM APAR PM12247
SHIP APAR FIXES FOR H28W610 FIX PACK 6.1.0.31.

Source: AIXAPAR
Type: UNKNOWN
PM15830

Source: DEBIAN
Type: DSA-2035
apache2 -- multiple issues

Source: CCN
Type: Oracle Web Site
Oracle Critical Patch Update - July 2013

Source: CCN
Type: OSVDB ID: 62675
Apache HTTP Server Multi-Processing Module (MPM) Subrequest Header Handling Cross-thread Information Disclosure

Source: CCN
Type: OSVDB ID: 65651
IBM WebSphere Application Server (WAS) on z/OS Admin Console Unspecified XSS

Source: CCN
Type: BID-38494
Apache 'mod_isapi' Memory Corruption Vulnerability

Source: CCN
Type: BID-38580
Apache Subrequest Handling Information Disclosure Vulnerability

Source: CCN
Type: BID-39701
IBM WebSphere Application Server SIP Logging Information Disclosure Vulnerability

Source: CCN
Type: USN-908-1
Apache vulnerabilities

Source: VUPEN
Type: Vendor Advisory
ADV-2010-1411

Source: XF
Type: UNKNOWN
apache-http-rh-info-disclosure(56625)

Source: CCN
Type: ASF Bugzilla Bug 48359
Buffer overflow related to setting RequestHeader

Source: CCN
Type: Bluecoat Web site
Security Advisories

Source: CCN
Type: Mend Vulnerability Database
CVE-2010-0434

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:*:*:*:*:*:*:*:* (Version <= 7.0.0.10)
  • AND
  • cpe:/o:ibm:z/os:*:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:sun:sunos:5.10:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:-:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:certificate_system:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.9:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.11:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.13:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.12:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.14:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:x86_64:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i5os:-:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:*
  • OR cpe:/o:ibm:os/400:v6r1m0:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.0:-:x86_64:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:8.10:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:linux:2009.1:*:*:*:x86_64:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.8.z:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.8.z:*:as:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:2009.06:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:enterprise_server:5:*:*:*:*:*:*:*
  • OR cpe:/o:mandriva:enterprise_server:5:*:*:*:x86_64:*:*:*
  • OR cpe:/o:mandriva:linux:2010:*:*:*:x86_64:*:*:*
  • OR cpe:/o:mandriva:linux:2010:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:http_server:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm websphere application server 7.0
    ibm websphere application server 7.0.0.1
    ibm websphere application server 7.0.0.2
    ibm websphere application server 7.0.0.3
    ibm websphere application server 7.0.0.4
    ibm websphere application server 7.0.0.5
    ibm websphere application server 7.0.0.6
    ibm websphere application server 7.0.0.7
    ibm websphere application server 7.0.0.8
    ibm websphere application server 7.0.0.9
    ibm websphere application server *
    ibm zos *
    sun sunos 5.10
    apache http server 2.2.4
    apache http server 2.2.3
    apache http server 2.2.0
    apache http server 2.2.2
    apache http server -
    apache http server 2.2.6
    redhat certificate system 7.3
    apache http server 2.2.8
    apache http server 2.2.9
    apache http server 2.2.11
    apache http server 2.2.13
    apache http server 2.2.12
    apache http server 2.2.14
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    canonical ubuntu 6.06
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 4.0
    ibm websphere application server 6.1
    redhat enterprise linux 5
    redhat enterprise linux 5
    mandrakesoft mandrake linux 2008.0 x86_64
    redhat enterprise linux 5
    mandrakesoft mandrake linux 2008.0
    ibm i5os -
    canonical ubuntu 8.04
    ibm os/400 v6r1m0
    mandriva linux 2009.0
    mandriva linux 2009.0 -
    canonical ubuntu 8.10
    debian debian linux 5.0
    mandriva linux 2009.1
    mandriva linux 2009.1
    redhat enterprise linux 4.8.z
    redhat enterprise linux 4.8.z
    sun opensolaris 2009.06
    mandriva enterprise server 5
    mandriva enterprise server 5
    mandriva linux 2010
    mandriva linux 2010
    oracle http server -