CVE-2006-6637: Infoleak
First published: Tue Dec 19 2006(Updated: )
The Servlet Engine and Web Container in IBM WebSphere Application Server (WAS) before 6.0.2.17, when ibm-web-ext.xmi sets fileServingEnabled to true and servlet caching is enabled, allows remote attackers to obtain JSP source code and other sensitive information via "specific requests."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM WebSphere Application Server Feature Pack for Web Services | =6.0.2.1 | |
| IBM WebSphere Application Server Feature Pack for Web Services | =6.0.2.5 | |
| IBM WebSphere Application Server Feature Pack for Web Services | =6.0.2.13 | |
| IBM WebSphere Application Server Feature Pack for Web Services | =6.0.2.9 | |
| IBM WebSphere Application Server Feature Pack for Web Services | =6.0.2.11 | |
| IBM WebSphere Application Server Feature Pack for Web Services | =6.0.2.15 | |
| IBM WebSphere Application Server Feature Pack for Web Services | =6.0.2.7 | |
| IBM WebSphere Application Server Feature Pack for Web Services | =6.0.2.3 | |
| =6.0.2.1 | ||
| =6.0.2.3 | ||
| =6.0.2.5 | ||
| =6.0.2.7 | ||
| =6.0.2.9 | ||
| =6.0.2.11 | ||
| =6.0.2.13 | ||
| =6.0.2.15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www-1.ibm.com/support/docview.wss?uid=swg27006876
- http://secunia.com/advisories/23414
- http://www.securityfocus.com/bid/21636
- http://www-1.ibm.com/support/docview.wss?uid=swg21243541
- http://www-1.ibm.com/support/docview.wss?uid=swg24015155
- http://www.securityfocus.com/bid/22991
- http://secunia.com/advisories/24478
- http://www.vupen.com/english/advisories/2006/5050
- http://www.vupen.com/english/advisories/2007/0970
Frequently Asked Questions
What are the risks associated with CVE-2006-6637?
CVE-2006-6637 allows remote attackers to access JSP source code and sensitive information, posing significant security risks to affected applications.
How can organizations mitigate CVE-2006-6637?
Organizations can mitigate CVE-2006-6637 by disabling servlet caching and ensuring that file serving is not enabled in the ibm-web-ext.xmi configuration.
Which versions of IBM WebSphere Application Server are vulnerable to CVE-2006-6637?
IBM WebSphere Application Server versions 6.0.2.1, 6.0.2.3, 6.0.2.5, 6.0.2.7, 6.0.2.9, 6.0.2.11, 6.0.2.13, and 6.0.2.15 are all vulnerable to CVE-2006-6637.
What actions should be taken if CVE-2006-6637 is detected in an environment?
If CVE-2006-6637 is detected, it is crucial to immediately disable vulnerable configurations and apply appropriate patches or updates.
Is CVE-2006-6637 commonly exploited in the wild?
While CVE-2006-6637 is a known vulnerability, its active exploitation may vary, so monitoring and patching are advised to prevent potential attacks.
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/description
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/source
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/tags
- vendor/ibm
- canonical/ibm websphere application server feature pack for web services
- version/ibm websphere application server feature pack for web services/6.0.2.1
- version/ibm websphere application server feature pack for web services/6.0.2.5
- version/ibm websphere application server feature pack for web services/6.0.2.13
- version/ibm websphere application server feature pack for web services/6.0.2.9
- version/ibm websphere application server feature pack for web services/6.0.2.11
- version/ibm websphere application server feature pack for web services/6.0.2.15
- version/ibm websphere application server feature pack for web services/6.0.2.7
- version/ibm websphere application server feature pack for web services/6.0.2.3