IBM Algo Audit and Compliance uses Apache Tomcat and is affected by multiple vulnerabilities identified in it, which could permit an attacker to compromise the web cache, bypass web application firewall protection and conduct XSS attacks, to cause a denial of service, to obtain sensitive information and to hijack a user’s session
CVE ID:
CVE-2013-4286
Description:
An HTTP request smuggling vulnerability has been identified in Apache Tomcat that could allow a remote attacker to compromise the web cache, bypass web application firewall protection, and conduct XSS attacks. This vulnerability is caused by an error in the handling of a malicious request. The attack requires network access, no authentication and a medium degree of specialized knowledge and technique. An attack may partially impact the integrity of data but not the confidentiality of information or the availability of the system.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91426 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Description:
A denial of service vulnerability has been identified in Apache Tomcat that could allow a remote attacker to cause a denial of service attack, caused by an error in the handling of a malicious request. The attack requires network access, no authentication and a low degree of specialized knowledge and technique. An attack may partially impact availability of the system but not the confidentiality of information or the integrity of data.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91625 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Description:
An information disclosure vulnerability has been identified in Apache Tomcat that could allow a remote attacker to obtain sensitive information, caused by an error when running untrusted web applications. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information. The attack requires network access, no authentication and a medium degree of specialized knowledge and technique. An attack may partially impact the confidentiality of information but not the integrity of data or the availability of the system.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91424 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Description:
A vulnerability has been identified in Apache Tomcat that could allow a remote attacker to hijack a valid user’s session, caused by an error even when disableURLRewriting is enabled. An attacker could exploit this vulnerability to hijack another user’s account and possibly launch further attacks on the system. The attack requires network access, no authentication and a medium degree of specialized knowledge and technique. An attack may partially impact the integrity of data but not the confidentiality of information or the availability of the system.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91423 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
IBM Algo Audit and Compliance versions 2.1 - 2.1.0.2
Download and install IBM Algo Audit and Compliance version 2.1.0.2 interim fix 1 from Fix Central, details available at http://www-01.ibm.com/support/docview.wss?uid=swg24037884
None known