SB2012113001 - Multiple vulnerabilities in IBM WebSphere Portal
Published: November 30, 2012 Updated: August 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-3016)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
IBM WebSphere Portal 6.1, 7.0, and 8.0 allows remote attackers to access the user directory via a crafted request for a servlet, related to the serveServletsByClassnameEnabled setting.
2) Path traversal (CVE-ID: CVE-2012-4834)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in LayerLoader.jsp in the theme component in IBM WebSphere Portal 7.0.0.1 and 7.0.0.2 before CF19 and 8.0 before CF03. A remote authenticated attacker can send a specially crafted HTTP request and remote attackers to read arbitrary files via a crafted URI.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- http://www-01.ibm.com/support/docview.wss?uid=swg21647344
- https://exchange.xforce.ibmcloud.com/vulnerabilities/84350
- http://secunia.com/advisories/51281
- http://www.ibm.com/connections/blogs/PSIRT/entry/security_vulnerability_in_theme_component_for_websphere_portal_versions_7_0_0_x_and_8_0_cve2012_48344
- http://www.ibm.com/support/docview.wss?uid=swg21617713
- http://www.ibm.com/support/docview.wss?uid=swg24033155
- http://www-01.ibm.com/support/docview.wss?uid=swg1PM76354
- https://exchange.xforce.ibmcloud.com/vulnerabilities/78914