Vulnerability Note VU#375127
IBM WebSphere Portal Server input validation vulnerability
Overview
IBM WebSphere Portal Server does not validate entry path inputted data.
Description
From the IBM Portal website: "IBM WebSphere Portal software provides a composite application or business mashup framework and the advanced tooling needed to build flexible, SOA-based solutions, as well as the unmatched scalability required by any size organization." IBM WebSphere Portal Server is vulnerable to data leakage caused by missing input validation on inputted entry path transmitted via XML. |
Impact
An attacker with valid login credentials could leverage this vulnerability to retrieve system information, such as /etc/passwd. |
Solution
Apply an update According to IBM's website patches have been issued to address this vulnerability. |
Restrict access |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| IBM Corporation | Affected | 01 Nov 2010 | 21 Jan 2011 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?apar=PM25698&productid=WebSphere%20Portal&brandid=5
- http://www-01.ibm.com/support/docview.wss?uid=swg21460422
Credit
Thanks to Peter Brauchle from Daimler TSS Technical Security for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
- CVE IDs: Unknown
- Date Public: 20 Jan 2011
- Date First Published: 23 Feb 2011
- Date Last Updated: 23 Feb 2011
- Severity Metric: 3.60
- Document Revision: 28
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.