You are here

U-181: IBM WebSphere Application Server Information Disclosure Vulnerability

June 1, 2012 - 7:00am

Addthis

PROBLEM:

A vulnerability has been reported in IBM WebSphere Application Server.

PLATFORM:

IBM WebSphere Application Server 6.1.x
IBM WebSphere Application Server 7.0.x
IBM WebSphere Application Server 8.0.x

ABSTRACT:

The vulnerability is caused due to missing access controls in the Application Snoop Servlet when handling requests and can be exploited to disclose request and client information.

Reference Links:

Secunia Advisory 49352
CVE-2012-2170
Vendor Advisory

IMPACT ASSESSMENT:

High

Discussion:

WebSphere Application Server Administration Console is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Administrative Console. A remote attacker could exploit this vulnerability using unspecified attack vectors to inject script in a victim's web browser within the security context of the hosting Web site.

Impact:

Exposure of sensitive information

Solution:

Apply APAR PM56183 or update to version 6.1.0.45, 7.0.0.23, or 8.0.0.4.

Addthis