CVE-2012-2206
low
CVSS v3
—
CVSS v2
3.5
VIR risk
3.5
Description
The Web Gateway component in IBM WebSphere MQ File Transfer Edition 7.0.4 and earlier allows remote authenticated users to read files of arbitrary users via vectors involving a username in a URI, as demonstrated by a modified metadata=fteSamplesUser field to the /transfer URI.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: psirt@us.ibm.com — http://www.ibm.com/support/docview.wss?uid=swg21607481
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| ibm | websphere_mq | 7.0 | |
| ibm | websphere_mq | 7.0.0.1 | |
| ibm | websphere_mq | 7.0.1.0 | |
| ibm | websphere_mq | 7.0.2.0 | |
| ibm | websphere_mq | 7.0.2.2 | |
| ibm | websphere_mq | 7.0.4 | |
| ibm | websphere_mq | 7.0.4.0 | |
References
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC82761
- http://www.exploit-db.com/exploits/20478/
- http://www.ibm.com/support/docview.wss?uid=swg21607481
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77095
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC82761
- http://www.exploit-db.com/exploits/20478/
- http://www.ibm.com/support/docview.wss?uid=swg21607481
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77095
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.