CERTA-2009-AVI-551
Vulnerability from certfr_avis - Published: 2009-12-17 - Updated: 2009-12-17
Plusieurs vulnérabilités découvertes dans IBM WebSphere permettent à un utilisateur distant malintentionné de réaliser des injections de code indirectes ou de porter atteinte à la confidentialité des données.
Description
Une vulnérabilité dans la console d'administration d'IBM WebSphere, causée par un manque de contrôle des requêtes HTTP, peut être exploitée afin de réaliser des injections de code indirectes.
Une vulnérabilité dans Java Naming and Directory Interface permet à une personne malveillante de réaliser des requêtes sur les objets de type UserRegistry et ainsi porter atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM WebSphere Application Server 6.1.x.",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Application Server 6.0.x ;",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 dans la console d\u0027administration d\u0027IBM WebSphere,\ncaus\u00e9e par un manque de contr\u00f4le des requ\u00eates HTTP, peut \u00eatre exploit\u00e9e\nafin de r\u00e9aliser des injections de code indirectes.\n\nUne vuln\u00e9rabilit\u00e9 dans Java Naming and Directory Interface permet \u00e0 une\npersonne malveillante de r\u00e9aliser des requ\u00eates sur les objets de type\nUserRegistry et ainsi porter atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2009-2746",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-2746"
},
{
"name": "CVE-2009-2747",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-2747"
}
],
"initial_release_date": "2009-12-17T00:00:00",
"last_revision_date": "2009-12-17T00:00:00",
"links": [],
"reference": "CERTA-2009-AVI-551",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2009-12-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Plusieurs vuln\u00e9rabilit\u00e9s d\u00e9couvertes dans IBM WebSphere permettent \u00e0 un\nutilisateur distant malintentionn\u00e9 de r\u00e9aliser des injections de code\nindirectes ou de porter atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM WebSphere",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM swg27006876 du 14 d\u00e9cembre 2009",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg27006876"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…