Vulnerability Name: CVE-2015-2017 (CCN-103991) Assigned: 2015-11-02 Published: 2015-11-02 Updated: 2016-12-07 Summary: CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.12, and 8.5 before 8.5.5.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N 3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N 3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-Other Vulnerability Consequences: Gain Access References: Source: MITRECVE-2015-2017 PI45266 http://www-01.ibm.com/support/docview.wss?uid=swg21966837 Vulnerabilities in Websphere Liberty Profile (WLP) affect Power Management Console (CVE-2015-2017, CVE-2015-1927, CVE-2015-4938) HTTP response splitting attack affects IBM TS7700 Virtualization Engine (CVE-2015-2017) HTTP response splitting attack in WebSphere Application Server (CVE-2015-2017) IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-2015-7450, CVE-2015-2017, CVE-2015-4938, CVE-2015-1932, CVE-2015-1927 ) HTTP response splitting attack in WebSphere Application Server affects IBM MQ Light (CVE-2015-2017) TTP response splitting attack in FastBack for Workstations Central Administration Console (CVE-2015-2017) Fixes for Multiple Security Vulnerabilities in IBM Security Identity Manager Virtual Appliance available A potential security vulnerability in WebSphere Liberty Profile affects InfoSphere Streams (CVE-2015-2017) Get access vulnerability affects IBM B2B Advanced Communications (CVE-2015-2017) Multiple Security Vulnerabilities affect IBM Security Privileged Identity Manager Virtual Appliance Security Vulnerability in IBM WebSphere Application Server affects IBM Content Collector (CVE-2015-2017) IBM WebSphere Application Server Liberty Profile vulnerability affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2015-2017) IBM Cognos Controller is affected by HTTP response splitting attack in WebSphere Application Server (CVE-2015-2017) Vulnerability in IBM WebSphere Application Server affects IBM Cognos Metrics Manager (CVE-2015-2017) A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Standards Processing Engine and IBM Transformation Extender Advanced (CVE-2015-2017). A vulnerability in IBM WebSphere Application Server affects IBM QuickFile (CVE-2015-2017). Vulnerability in Websphere Application Server affects IBM Social Media Analytics (CVE-2015-2017) IBM Cognos Business Intelligence Server 2016Q1 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 and IBM BigFix Inventory v9 (CVE-2015-2017) A security vulnerability in IBM WebSphere Application Server affects IBM Security Access Manager for Mobile (CVE-2015-2017) A security vulnerability in IBM WebSphere Application Server affects IBM Security Access Manager for Web (CVE-2015-2017) Vulnerability in HTTP Response Splitting affects IBM Algorithmics Algo Risk Application & AlgoOne Core- CVE-2015-2017 A security vulnerability has been identified in IBM Business Process Manager, and bundling products shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2015-2017) HTTP response splitting has been identified in IBM WebSphere Application Server Liberty Profile shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-2017) 78457 Multiple IBM Products CVE-2015-2017 HTTP Response Splitting Vulnerability 1034096 ibm-websphere-cve20152017-response-splitting(103991) Vulnerable Configuration: Configuration 1 :cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.13:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.14:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.25:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.27:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.29:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.31:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.33:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.35:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.37:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.39:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.41:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.43:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.45:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:6.1.0.47:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.8:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.9:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.10:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.11:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.12:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.13:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.14:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.15:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.16:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.17:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.18:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.19:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.21:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.22:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.23:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.24:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.25:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.27:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.29:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.31:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.32:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.33:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.34:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.36:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.37:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0.0.38:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.8:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.9:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.10:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0.0.11:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.2:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.4:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.5:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.6:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5.7:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:8.5.5:*:*:*:*:*:*:* AND cpe:/a:ibm:cognos_business_intelligence:8.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_business_intelligence:10.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_business_intelligence:10.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_business_intelligence:10.2:*:*:*:*:*:*:* OR cpe:/a:ibm:content_collector:3.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:quickfile:1.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_business_intelligence:10.2.1:*:*:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:7.0:*:web:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0:*:web:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.0.1:*:mobile:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.0.2:*:mobile:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.0.3:*:mobile:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.0.4:*:mobile:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.0.2:*:web:*:*:*:*:* OR cpe:/a:ibm:algo_one:4.9.0:*:*:*:*:*:*:* OR cpe:/a:ibm:algo_one:5.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:b2b_advanced_communications:1.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_mq_light:1.0:*:*:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.0.5:*:mobile:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.0.4:*:web:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.0.5:*:web:*:*:*:*:* OR cpe:/a:ibm:quickfile:1.1.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:algo_one:4.9.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_business_intelligence:10.2.2:*:*:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.1:*:mobile:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.1:*:web:*:*:*:*:* OR cpe:/a:ibm:cloud_orchestrator:2.4:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_manager:7.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:license_metric_tool:9.0:*:*:*:*:*:*:* OR cpe:/a:ibm:license_metric_tool:9.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:license_metric_tool:9.1.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.2.2:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.2.3:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.3.0:*:*:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.1.2:*:mobile:*:*:*:*:* OR cpe:/a:ibm:cognos_controller:10.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:license_metric_tool:9.2.0:*:*:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.1.2:*:web:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.1.3:*:web:*:*:*:*:* OR cpe:/a:ibm:cloud_orchestrator:2.4.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_orchestrator:2.4.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_privileged_identity_manager:2.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_orchestrator:2.5:*:*:*:*:*:*:* OR cpe:/o:ibm:security_access_manager:8.0.1.3:*:mobile:*:*:*:*:* OR cpe:/a:ibm:transformation_extender:9.0:*:advanced:*:*:*:*:* OR cpe:/a:ibm:algo_one:5.1.0:*:*:*:*:*:*:* BACK
ibm websphere application server 6.1
ibm websphere application server 6.1.0
ibm websphere application server 6.1.0.0
ibm websphere application server 6.1.0.1
ibm websphere application server 6.1.0.2
ibm websphere application server 6.1.0.3
ibm websphere application server 6.1.0.5
ibm websphere application server 6.1.0.7
ibm websphere application server 6.1.0.9
ibm websphere application server 6.1.0.11
ibm websphere application server 6.1.0.12
ibm websphere application server 6.1.0.13
ibm websphere application server 6.1.0.14
ibm websphere application server 6.1.0.15
ibm websphere application server 6.1.0.17
ibm websphere application server 6.1.0.19
ibm websphere application server 6.1.0.21
ibm websphere application server 6.1.0.23
ibm websphere application server 6.1.0.25
ibm websphere application server 6.1.0.27
ibm websphere application server 6.1.0.29
ibm websphere application server 6.1.0.31
ibm websphere application server 6.1.0.33
ibm websphere application server 6.1.0.35
ibm websphere application server 6.1.0.37
ibm websphere application server 6.1.0.39
ibm websphere application server 6.1.0.41
ibm websphere application server 6.1.0.43
ibm websphere application server 6.1.0.45
ibm websphere application server 6.1.0.47
ibm websphere application server 7.0
ibm websphere application server 7.0.0.1
ibm websphere application server 7.0.0.2
ibm websphere application server 7.0.0.3
ibm websphere application server 7.0.0.4
ibm websphere application server 7.0.0.5
ibm websphere application server 7.0.0.6
ibm websphere application server 7.0.0.7
ibm websphere application server 7.0.0.8
ibm websphere application server 7.0.0.9
ibm websphere application server 7.0.0.10
ibm websphere application server 7.0.0.11
ibm websphere application server 7.0.0.12
ibm websphere application server 7.0.0.13
ibm websphere application server 7.0.0.14
ibm websphere application server 7.0.0.15
ibm websphere application server 7.0.0.16
ibm websphere application server 7.0.0.17
ibm websphere application server 7.0.0.18
ibm websphere application server 7.0.0.19
ibm websphere application server 7.0.0.21
ibm websphere application server 7.0.0.22
ibm websphere application server 7.0.0.23
ibm websphere application server 7.0.0.24
ibm websphere application server 7.0.0.25
ibm websphere application server 7.0.0.27
ibm websphere application server 7.0.0.29
ibm websphere application server 7.0.0.31
ibm websphere application server 7.0.0.32
ibm websphere application server 7.0.0.33
ibm websphere application server 7.0.0.34
ibm websphere application server 7.0.0.36
ibm websphere application server 7.0.0.37
ibm websphere application server 7.0.0.38
ibm websphere application server 8.0.0.0
ibm websphere application server 8.0.0.1
ibm websphere application server 8.0.0.2
ibm websphere application server 8.0.0.3
ibm websphere application server 8.0.0.4
ibm websphere application server 8.0.0.5
ibm websphere application server 8.0.0.6
ibm websphere application server 8.0.0.7
ibm websphere application server 8.0.0.8
ibm websphere application server 8.0.0.9
ibm websphere application server 8.0.0.10
ibm websphere application server 8.0.0.11
ibm websphere application server 8.5.5.0
ibm websphere application server 8.5.5.1
ibm websphere application server 8.5.5.2
ibm websphere application server 8.5.5.3
ibm websphere application server 8.5.5.4
ibm websphere application server 8.5.5.5
ibm websphere application server 8.5.5.6
ibm websphere application server 8.5.5.7
ibm websphere application server 6.1
ibm websphere application server 7.0
ibm websphere application server 8.0
ibm websphere application server 8.5
ibm websphere application server 8.5.5
ibm cognos business intelligence 8.4.1
ibm cognos business intelligence 10.1
ibm cognos business intelligence 10.1.1
ibm cognos business intelligence 10.2
ibm content collector 3.0.0.0
ibm quickfile 1.1.0.0
ibm cognos business intelligence 10.2.1
ibm security access manager for web 7.0
ibm security access manager for web 8.0
ibm security access manager for mobile 8.0.0.1
ibm security access manager for mobile 8.0.0.2
ibm security access manager for mobile 8.0.0.3
ibm security access manager for mobile 8.0.0.4
ibm security access manager for web 8.0.0.2
ibm algo one 4.9.0
ibm algo one 5.0.0
ibm b2b advanced communications 1.0.0.1
ibm websphere mq light 1.0
ibm security access manager for mobile 8.0.0.5
ibm security access manager for web 8.0.0.4
ibm security access manager for web 8.0.0.5
ibm quickfile 1.1.0.1
ibm algo one 4.9.1
ibm cognos business intelligence 10.2.2
ibm security access manager for mobile 8.0.1
ibm security access manager for web 8.0.1
ibm cloud orchestrator 2.4
ibm security identity manager 7.0.0.0
ibm license metric tool 9.0
ibm license metric tool 9.0.1
ibm license metric tool 9.1.0.1
ibm tivoli monitoring 6.2.2
ibm tivoli monitoring 6.2.3
ibm tivoli monitoring 6.3.0
ibm security access manager for mobile 8.0.1.2
ibm cognos controller 10.2.1
ibm license metric tool 9.2.0
ibm security access manager for web 8.0.1.2
ibm security access manager for web 8.0.1.3
ibm cloud orchestrator 2.4.0.1
ibm cloud orchestrator 2.4.0.2
ibm security privileged identity manager 2.0.2
ibm cloud orchestrator 2.5
ibm security access manager for mobile 8.0.1.3
ibm transformation extender advanced 9.0
ibm algo one 5.1.0
Denotes that component is vulnerable