There are two potential infomation disclosure vulnerabilities that affects the Java Server Faces (JSF) component used by WebSphere Application Server.
CVEID: CVE-2017-1583**
DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by improper error handling by MyFaces in JSF.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132342 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
**
CVEID:CVE-2011-4343
DESCRIPTION:** Apache MyFaces could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability using specially crafted parameters to inject EL expressions into input fields mapped as view parameters and obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132287 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
This vulnerability affects the following versions and releases of IBM WebSphere Application Server:
Consult the security bulletin: Multiple vulnerabilities affect Java Server Faces (JSF) used by WebSphere Application Server for vulnerability details and information about fixes.
CPE | Name | Operator | Version |
---|---|---|---|
websphere application server patterns | eq | any |