You are here

V-119: IBM Security AppScan Enterprise Multiple Vulnerabilities

March 26, 2013 - 12:56am

Addthis

PROBLEM:

IBM Security AppScan Enterprise Multiple Vulnerabilities

PLATFORM:

IBM Rational AppScan 5.x
IBM Rational AppScan 8.x

ABSTRACT:

IBM has acknowledged multiple vulnerabilities

REFERENCE LINKS:

IBM Reference #:1626264
Secunia Advisory SA52764
CVE-2008-4033
CVE-2012-4431
CVE-2012-5081
CVE-2013-0473
CVE-2013-0474
CVE-2013-0510
CVE-2013-0511
CVE-2013-0512
CVE-2013-0513
CVE-2013-0532

IMPACT ASSESSMENT:

Medium

DISCUSSION:

1) The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. cause a DoS when a logged-in user visits a specially crafted web page.

2) Certain input related using a report is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

3) Certain input is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

4) The application bundles a vulnerable version of Apache Tomcat.

5) The application bundles a vulnerable version Microsoft XML Core services dll.

6) The application bundles a vulnerable version of Oracle JDK.

IMPACT:

Vulnerabilities can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, conduct cross-site request forgery, script insertion, and SQL injection attacks, and cause a DoS (Denial of Service).

SOLUTION:

Update to a fixed version

Addthis