CVE-2016-1183
low
CVSS v3
3.7
CVSS v2
4.3
VIR risk
3.7
Description
NTT Data TERASOLUNA Server Framework for Java(WEB) 2.0.0.1 through 2.0.6.1, as used in Fujitsu Interstage Business Application Server and other products, allows remote attackers to bypass a file-extension protection mechanism, and consequently read arbitrary files, via a crafted pathname.
Predictions
Exploit likelihood
47%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: vultures@jpcert.or.jp — http://www.fujitsu.com/jp/products/software/resources/condition/security/vulnerabilities/2016/index.html#CVE-2016-1183
Vendor advisory: vultures@jpcert.or.jp — http://jvndb.jvn.jp/jvndb/JVNDB-2016-000098
Vendor advisory: vultures@jpcert.or.jp — http://jvn.jp/en/jp/JVN74659077/index.html
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| nttdata | terasoluna_server_framework_for_java_web | 2.0.0.1 | |
| nttdata | terasoluna_server_framework_for_java_web | 2.0.0.2 | |
| nttdata | terasoluna_server_framework_for_java_web | 2.0.1.0 | |
| nttdata | terasoluna_server_framework_for_java_web | 2.0.2.0 | |
| nttdata | terasoluna_server_framework_for_java_web | 2.0.5.1 | |
| nttdata | terasoluna_server_framework_for_java_web | 2.0.5.2 | |
| nttdata | terasoluna_server_framework_for_java_web | 2.0.5.3 | |
| nttdata | terasoluna_server_framework_for_java_web | 2.0.6.1 | |
References
- http://jvn.jp/en/jp/JVN74659077/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2016-000098
- http://www.fujitsu.com/jp/products/software/resources/condition/security/vulnerabilities/2016/index.html#CVE-2016-1183
- http://jvn.jp/en/jp/JVN74659077/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2016-000098
- http://www.fujitsu.com/jp/products/software/resources/condition/security/vulnerabilities/2016/index.html#CVE-2016-1183
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.