Vulnerability CVE-2010-3271 - CERT Civis.Net

Vulnerability Name:

CVE-2010-3271 (CCN-68069)

Assigned:

2010-09-09

Published:

2011-06-15

Updated:

2018-10-10

Summary:

Multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console (aka administrative console) in IBM WebSphere Application Server (WAS) 7.0.0.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that disable certain security options via an Edit action to console/adminSecurityDetail.do followed by a save action to console/syncworkspace.do.

CVSS v3 Severity:

3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.6 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.1 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2010-3271

Source: CCN
Type: SA44909
IBM WebSphere Application Server Cross-Site Request Forgery Vulnerability

Source: CCN
Type: SA46154
IBM WebSphere Application Server Cross-Site Request Forgery Vulnerability

Source: SREASON
Type: UNKNOWN
8281

Source: CCN
Type: IBM Web site
Websphere Application Server

Source: CCN
Type: IBM APAR PM36734
SHIP APAR FIXES FOR H28W700 FIX PACK 7.0.0.19.

Source: CCN
Type: CORE-2010-1021
IBM WebSphere Application Server Cross-Site Request Forgery

Source: MISC
Type: Exploit
http://www.coresecurity.com/content/IBM-WebSphere-CSRF

Source: EXPLOIT-DB
Type: Exploit
17404

Source: CCN
Type: OSVDB ID: 73052
IBM WebSphere Application Server Admin Security Disable CSRF

Source: BUGTRAQ
Type: UNKNOWN
20110615 CORE-2010-1021: IBM WebSphere Application Server Cross-Site Request Forgery

Source: BID
Type: UNKNOWN
48305

Source: CCN
Type: BID-48305
IBM WebSphere Application Server Administration Console Cross Site Request Forgery Vulnerability

Source: CCN
Type: BID-49766
IBM WebSphere Application Server Cross-Site Request Forgery Vulnerability

Source: XF
Type: UNKNOWN
was-admin-con-csrf(68069)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:websphere_application_server:2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.0.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.0.2.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.0.2.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.0.2.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.0.21:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.5.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.5.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.5.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.52:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.10:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.12:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.13:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.14:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.15:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.0.2.16:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.10:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.12:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.13:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.14:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.15:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.16:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:5.1.1.17:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.1.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.1.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.1.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.1.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.1.13:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.1.15:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.1.17:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.13:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.15:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.17:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.19:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.22:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.23:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.24:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.25:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.27:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.28:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.29:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.30:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.31:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.0.2.32:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.25:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.27:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.29:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.31:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.33:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.13:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.14:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:*:*:*:*:*:*:*:* (Version <= 7.0.0.13)

Configuration CCN 1:

cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*

Denotes that component is vulnerable