CVE-2017-1503 - OpenCVE

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 129578.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Websphere Application Server

Configuration 1 [-]

OR	cpe:2.3:a:ibm:websphere_application_server:7.0:::::::*
	cpe:2.3:a:ibm:websphere_application_server:8.0:::::::*
	cpe:2.3:a:ibm:websphere_application_server:8.5:::::::*
	cpe:2.3:a:ibm:websphere_application_server:9.0:::::::*

No data.

References

Link	Providers
http://www-01.ibm.com/support/docview.wss?uid=swg22006815
http://www.securityfocus.com/bid/101234
http://www.securitytracker.com/id/1039521
https://exchange.xforce.ibmcloud.com/vulnerabilities/129578

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2017-10-10T21:00:00

Updated: 2024-08-05T13:32:30.267Z

Reserved: 2016-11-30T00:00:00

Link: CVE-2017-1503

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-10-10T21:29:00.210

Modified: 2017-11-05T21:10:14.177

Link: CVE-2017-1503

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "IBM WebSphere Application Server ", "vendor": "IBM", "versions": [{"status": "affected", "version": "7.0, 8.0, 8.5, 9.0"}]}], "datePublic": "2017-10-09T00:00:00", "descriptions": [{"lang": "en", "value": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 129578."}], "problemTypes": [{"descriptions": [{"description": "XSS", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-13T09:57:01", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"name": "101234", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101234"}, {"name": "1039521", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1039521"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg22006815"}, {"tags": ["x_refsource_MISC"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/129578"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "ID": "CVE-2017-1503", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "IBM WebSphere Application Server ", "version": {"version_data": [{"version_value": "7.0, 8.0, 8.5, 9.0"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 129578."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "XSS"}]}]}, "references": {"reference_data": [{"name": "101234", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101234"}, {"name": "1039521", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039521"}, {"name": "http://www-01.ibm.com/support/docview.wss?uid=swg22006815", "refsource": "CONFIRM", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg22006815"}, {"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/129578", "refsource": "MISC", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/129578"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T13:32:30.267Z"}, "title": "CVE Program Container", "references": [{"name": "101234", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/101234"}, {"name": "1039521", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1039521"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg22006815"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/129578"}]}]}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2017-1503", "datePublished": "2017-10-10T21:00:00", "dateReserved": "2016-11-30T00:00:00", "dateUpdated": "2024-08-05T13:32:30.267Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "B0905C80-A1BA-49CD-90CA-9270ECC3940C", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "07EBB48B-4EE2-4333-851E-BA1B104FBE92", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*", "matchCriteriaId": "E30E8CE2-9137-4669-AE86-FB8ED0899736", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "C4F6F77C-2C0D-4A31-B2A0-DB1C4296FF5E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 129578."}, {"lang": "es", "value": "IBM WebSphere Application Server 7.0, 8.0, 8.5 y 9.0 es vulnerable a ataques de divisi\u00f3n de respuestas HTTP. Un atacante remoto podr\u00eda explotar esta vulnerabilidad utilizando una URL especialmente manipulada para provocar que el servidor devuelva una respuesta dividida una vez que se hacer clic en la URL. Esto permitir\u00eda que el atacante realice m\u00e1s ataques como el envenenamiento de la memoria cach\u00e9 web, Cross-Site Scripting (XSS) y posiblemente la obtenci\u00f3n de informaci\u00f3n sensible. IBM X-Force ID: 129578."}], "id": "CVE-2017-1503", "lastModified": "2017-11-05T21:10:14.177", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-10T21:29:00.210", "references": [{"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "http://www-01.ibm.com/support/docview.wss?uid=swg22006815"}, {"source": "psirt@us.ibm.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101234"}, {"source": "psirt@us.ibm.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1039521"}, {"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/129578"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}