CVE-2014-3055 : SQL injection vulnerability in the Unified Task List (UTL) Portlet for IBM WebSp

SQL injection vulnerability in the Unified Task List (UTL) Portlet for IBM WebSphere Portal 7.x and 8.x through 8.0.0.1 CF12 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published 2014-07-29 20:55:08

Updated 2025-04-12 10:46:41

Source IBM Corporation

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2014-3055

IBM » Websphere Portal » Version: 7.0.0.0
cpe:2.3:a:ibm:websphere_portal:7.0.0.0:*:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.0
cpe:2.3:a:ibm:websphere_portal:8.0.0.0:*:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.1 Update Cf003
cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf003:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.1 Update Cf004
cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf004:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.1 Update Cf005
cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf005:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:*:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf012
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf012:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf013
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf013:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf014
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf014:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf015
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf015:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.1 Update Cf009
cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf009:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf011
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf011:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf016
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf016:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf018
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf018:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.0 Update Cf01
cpe:2.3:a:ibm:websphere_portal:8.0.0.0:cf01:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.1 Update Cf006
cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf006:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.1 Update Cf007
cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf007:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.1 Update Cf008
cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf008:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.0 Update Cf02
cpe:2.3:a:ibm:websphere_portal:8.0.0.0:cf02:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.1 Update Cf010
cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf010:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf017
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf017:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf021
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf021:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf022
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf022:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.1 Update Cf019
cpe:2.3:a:ibm:websphere_portal:7.0.0.1:cf019:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf019
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf019:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf020
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf020:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.0 Update Cf05
cpe:2.3:a:ibm:websphere_portal:8.0.0.0:cf05:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.0 Update Cf04
cpe:2.3:a:ibm:websphere_portal:8.0.0.0:cf04:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.1 Update Cf04
cpe:2.3:a:ibm:websphere_portal:8.0.0.1:cf04:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.1 Update Cf05
cpe:2.3:a:ibm:websphere_portal:8.0.0.1:cf05:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.0 Update Cf03
cpe:2.3:a:ibm:websphere_portal:8.0.0.0:cf03:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.1
cpe:2.3:a:ibm:websphere_portal:8.0.0.1:*:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf23
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf23:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf26
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf26:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf27
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf27:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf24
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf24:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2 Update Cf25
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:cf25:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.1 Update Cf07
cpe:2.3:a:ibm:websphere_portal:8.0.0.1:cf07:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.1 Update Cf08
cpe:2.3:a:ibm:websphere_portal:8.0.0.1:cf08:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.1 Update Cf06
cpe:2.3:a:ibm:websphere_portal:8.0.0.1:cf06:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.1 Update Cf09
cpe:2.3:a:ibm:websphere_portal:8.0.0.1:cf09:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 8.0.0.1 Update Cf12
cpe:2.3:a:ibm:websphere_portal:8.0.0.1:cf12:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal » Version: 7.0.0.2
cpe:2.3:a:ibm:websphere_portal:7.0.0.2:-:*:*:*:*:*:*
Matching versions
IBM » Websphere Portal Unified Task List Portlet » Version: 6.0.1
cpe:2.3:a:ibm:websphere_portal_unified_task_list_portlet:6.0.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-3055

EPSS FAQ

0.29%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 50 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-3055

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2014-3055

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-3055

http://www-01.ibm.com/support/docview.wss?uid=swg1PI18909

IBM notice: The page you requested cannot be displayed

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/93529

IBM Unified Task List (UTL) Portlet - SQL Injection CVE-2014-3055 Vulnerability Report
http://www-01.ibm.com/support/docview.wss?uid=swg21677032

IBM Security Bulletin: Fixes available for Security Vulnerabilities in IBM WebSphere Portal related to Unified Task List (UTL) Portlet (CVE-2014-3054, CVE-2014-3055, CVE-2014-3056, CVE-2014-3057)
Vendor Advisory

CVEs referencing this url
http://secunia.com/advisories/60499

Sign in

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2014-3055

Products affected by CVE-2014-3055

Exploit prediction scoring system (EPSS) score for CVE-2014-3055

CVSS scores for CVE-2014-3055

CWE ids for CVE-2014-3055

References for CVE-2014-3055