PT-2012-3880 · Ibm · Ibm Websphere Mq File Transfer Edition

Nir Valtman

Published

2012-08-17

Updated

2017-08-29

CVE-2012-2206

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions IBM WebSphere MQ File Transfer Edition versions 7.0.4 and earlier

Description The issue allows remote authenticated users to read files of arbitrary users via vectors involving a username in a URI. This can be demonstrated by modifying the metadata=fteSamplesUser field to the "/transfer" API endpoint.

Recommendations For IBM WebSphere MQ File Transfer Edition versions 7.0.4 and earlier, consider restricting access to the "/transfer" API endpoint until a fix is available. As a temporary workaround, avoid using the metadata field with user-specific data in the "/transfer" URI to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2012-2206

Affected Products

Ibm Websphere Mq File Transfer Edition

PT-2012-3880 · Ibm · Ibm Websphere Mq File Transfer Edition

CVE-2012-2206

Weakness Enumeration

Related Identifiers

Affected Products

References · 6