CVE-2006-4223

Name of the Vulnerable Software and Affected Versions IBM WebSphere Application Server (WAS) versions prior to 6.0.2.13

Description The issue allows context-dependent attackers to obtain sensitive information via unspecified vectors related to JSP source code exposure. This occurs when ibm-web-ext.xmi sets fileServingEnabled to true or ExtendedDocumentRoot is used to place a JSP outside a WAR file. Additionally, sensitive information can be obtained through the First Failure Data Capture (ffdc) log file and traces.

Recommendations For versions prior to 6.0.2.13, update to version 6.0.2.13 or later to resolve the issue. As a temporary workaround, consider setting fileServingEnabled to false in ibm-web-ext.xmi and avoid using ExtendedDocumentRoot to place JSP files outside a WAR file. Restrict access to the ffdc log file and traces to minimize the risk of exploitation.