cvelistv5 - cve-2009-2747

CVE-2009-2747 (GCVE-0-2009-2747)

Vulnerability from cvelistv5

Published

2011-10-30 10:00

Modified

2024-08-07 05:59

Severity ?

CWE

Summary

The Java Naming and Directory Interface (JNDI) implementation in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 does not properly restrict access to UserRegistry object methods, which allows remote attackers to obtain sensitive information via a crafted method call.

References

URL

Tags

	http://www.ibm.com/support/docview.wss?uid=swg1PK99480	vendor-advisory, x_refsource_AIXAPAR
	http://www.ibm.com/support/docview.wss?uid=swg1PK91414	vendor-advisory, x_refsource_AIXAPAR
	https://exchange.xforce.ibmcloud.com/vulnerabilities/54228	vdb-entry, x_refsource_XF

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T05:59:57.227Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "PK99480",
            "tags": [
              "vendor-advisory",
              "x_refsource_AIXAPAR",
              "x_transferred"
            ],
            "url": "http://www.ibm.com/support/docview.wss?uid=swg1PK99480"
          },
          {
            "name": "PK91414",
            "tags": [
              "vendor-advisory",
              "x_refsource_AIXAPAR",
              "x_transferred"
            ],
            "url": "http://www.ibm.com/support/docview.wss?uid=swg1PK91414"
          },
          {
            "name": "was-userregistry-information-disclosure(54228)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54228"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-11-13T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Java Naming and Directory Interface (JNDI) implementation in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 does not properly restrict access to UserRegistry object methods, which allows remote attackers to obtain sensitive information via a crafted method call."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-16T14:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "PK99480",
          "tags": [
            "vendor-advisory",
            "x_refsource_AIXAPAR"
          ],
          "url": "http://www.ibm.com/support/docview.wss?uid=swg1PK99480"
        },
        {
          "name": "PK91414",
          "tags": [
            "vendor-advisory",
            "x_refsource_AIXAPAR"
          ],
          "url": "http://www.ibm.com/support/docview.wss?uid=swg1PK91414"
        },
        {
          "name": "was-userregistry-information-disclosure(54228)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54228"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2009-2747",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Java Naming and Directory Interface (JNDI) implementation in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 does not properly restrict access to UserRegistry object methods, which allows remote attackers to obtain sensitive information via a crafted method call."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "PK99480",
              "refsource": "AIXAPAR",
              "url": "http://www.ibm.com/support/docview.wss?uid=swg1PK99480"
            },
            {
              "name": "PK91414",
              "refsource": "AIXAPAR",
              "url": "http://www.ibm.com/support/docview.wss?uid=swg1PK91414"
            },
            {
              "name": "was-userregistry-information-disclosure(54228)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54228"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2009-2747",
    "datePublished": "2011-10-30T10:00:00.000Z",
    "dateReserved": "2009-08-12T00:00:00.000Z",
    "dateUpdated": "2024-08-07T05:59:57.227Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CERTA-2009-AVI-501

Vulnerability from certfr_avis

Une vulnérabilité dans IBM WebSphere ext exploitable par un utilisateur malveillant pour réaliser de l'injection de code indirecte.

Description

Le filtrage des données entrées dans la console d'administration d'IBM WebSphere est imparfait. Cette vulnérabilité peut être utilisée pour réaliser de l'injection de code indirecte.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

IBM WebSphere 7.0.x.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité IBM swg27014463 du 13 novembre 2009	None	vendor-advisory
Bulletin IBM PK99481 du 10 novembre 2009 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cSPAN class=\"textit\"\u003eIBM  WebSphere\u003c/SPAN\u003e 7.0.x.",
  "content": "## Description\n\nLe filtrage des donn\u00e9es entr\u00e9es dans la console d\u0027administration d\u0027IBM\nWebSphere est imparfait. Cette vuln\u00e9rabilit\u00e9 peut \u00eatre utilis\u00e9e pour\nr\u00e9aliser de l\u0027injection de code indirecte.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2009-2747",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-2747"
    }
  ],
  "initial_release_date": "2009-11-16T00:00:00",
  "last_revision_date": "2009-11-16T00:00:00",
  "links": [
    {
      "title": "Bulletin IBM PK99481 du 10 novembre 2009 :",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1PK99481"
    }
  ],
  "reference": "CERTA-2009-AVI-501",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2009-11-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans \u003cspan class=\"textit\"\u003eIBM WebSphere\u003c/span\u003e ext\nexploitable par un utilisateur malveillant pour r\u00e9aliser de l\u0027injection\nde code indirecte.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans IBM WebSphere",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM swg27014463 du 13 novembre 2009",
      "url": null
    }
  ]
}

CERTA-2009-AVI-551

Vulnerability from certfr_avis

Plusieurs vulnérabilités découvertes dans IBM WebSphere permettent à un utilisateur distant malintentionné de réaliser des injections de code indirectes ou de porter atteinte à la confidentialité des données.

Description

Une vulnérabilité dans la console d'administration d'IBM WebSphere, causée par un manque de contrôle des requêtes HTTP, peut être exploitée afin de réaliser des injections de code indirectes.

Une vulnérabilité dans Java Naming and Directory Interface permet à une personne malveillante de réaliser des requêtes sur les objets de type UserRegistry et ainsi porter atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	WebSphere	IBM WebSphere Application Server 6.1.x.
	IBM	WebSphere	IBM WebSphere Application Server 6.0.x ;

References

Title

Publication Time

Tags

Bulletin de sécurité IBM swg27006876 du 14 décembre 2009

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM WebSphere Application Server 6.1.x.",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM WebSphere Application Server 6.0.x ;",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 dans la console d\u0027administration d\u0027IBM WebSphere,\ncaus\u00e9e par un manque de contr\u00f4le des requ\u00eates HTTP, peut \u00eatre exploit\u00e9e\nafin de r\u00e9aliser des injections de code indirectes.\n\nUne vuln\u00e9rabilit\u00e9 dans Java Naming and Directory Interface permet \u00e0 une\npersonne malveillante de r\u00e9aliser des requ\u00eates sur les objets de type\nUserRegistry et ainsi porter atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2009-2746",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-2746"
    },
    {
      "name": "CVE-2009-2747",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-2747"
    }
  ],
  "initial_release_date": "2009-12-17T00:00:00",
  "last_revision_date": "2009-12-17T00:00:00",
  "links": [],
  "reference": "CERTA-2009-AVI-551",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2009-12-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Plusieurs vuln\u00e9rabilit\u00e9s d\u00e9couvertes dans IBM WebSphere permettent \u00e0 un\nutilisateur distant malintentionn\u00e9 de r\u00e9aliser des injections de code\nindirectes ou de porter atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM WebSphere",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM swg27006876 du 14 d\u00e9cembre 2009",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27006876"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2009-2747 (GCVE-0-2009-2747)

Vulnerability from cvelistv5

CERTA-2009-AVI-501

Vulnerability from certfr_avis

Description

Solution

CERTA-2009-AVI-551

Vulnerability from certfr_avis

Description

Solution

Tags

Sightings

Nomenclature