Vulnerability CVE-2010-4417


Published: 2011-01-19   Modified: 2012-02-13

Description:
Unspecified vulnerability in the Services for Beehive component in Oracle Fusion Middleware 2.0.1.0, 2.0.1.1, 2.0.1.2, 2.0.1.2.1, and 2.0.1.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that voice-servlet/prompt-qa/Index.jspf does not properly handle null (%00) bytes in the evaluation parameter that is used in a filename, which allows attackers to create a file with an executable extension and execute arbitrary JSP code.

See advisories in our WLB2 database:
Topic
Author
Date
High
Oracle BeeHive 2 Code Execution
sinn3r
03.12.2015

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Oracle -> Beehive 

 References:
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://www.securityfocus.com/bid/45854
http://www.securitytracker.com/id?1024981
http://www.vupen.com/english/advisories/2011/0143
http://www.zerodayinitiative.com/advisories/ZDI-11-020/
http://xforce.iss.net/xforce/xfdb/64772
https://www.exploit-db.com/exploits/38859/

Copyright 2024, cxsecurity.com

 

Back to Top