Vulnerability Details : CVE-2012-4834
Directory traversal vulnerability in LayerLoader.jsp in the theme component in IBM WebSphere Portal 7.0.0.1 and 7.0.0.2 before CF19 and 8.0 before CF03 allows remote attackers to read arbitrary files via a crafted URI.
Vulnerability category: Directory traversal
Products affected by CVE-2012-4834
- cpe:2.3:a:ibm:websphere_portal:8.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf002:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf003:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf004:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf005:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf013:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf014:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf015:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf016:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf017:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf012:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf013:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf014:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf015:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf009:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf011:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf018:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf002:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf009:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf011:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf016:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf018:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:8.0.0.0:cf01:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf006:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf007:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf008:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf004:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf005:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf006:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf007:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:8.0.0.0:cf02:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf010:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf012:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf003:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf008:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf010:*:*:*:*:*:*
- cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf017:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-4834
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-4834
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2012-4834
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-4834
-
http://www.ibm.com/connections/blogs/PSIRT/entry/security_vulnerability_in_theme_component_for_websphere_portal_versions_7_0_0_x_and_8_0_cve2012_48344
IBM notice: The page you requested cannot be displayedPatch;Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/78914
IBM WebSphere Portal directory traversal CVE-2012-4834 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.ibm.com/support/docview.wss?uid=swg24033155
Fixes integrated in WebSphere Portal 8.0.0.0 Cumulative FixesPatch;Third Party Advisory
-
http://www.ibm.com/support/docview.wss?uid=swg21617713
Security Bulletin: Security vulnerability in theme component for WebSphere Portal versions 7.0.0.x and 8.0 (CVE-2012-4834)Patch;Vendor Advisory
Jump to