#VU27700 Code Injection in Sun ONE/iPlanet Web Server - CVE-2020-9314

Cybersecurity Help s.r.o.

Published: 2020-05-12

Vulnerability identifier: #VU27700

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-9314

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Sun ONE/iPlanet Web Server
Server applications / Web servers

Vendor: Sun

Description

The vulnerability allows a remote attacker to perform a phishing attack.

The vulnerability exists due to improper input validation when processing HTTP requests within the "/admingui/version/" URL in the Administration Console. A remote attacker can send a specially crafted request and permanently inject arbitrary images.

Note, this vulnerability exists due to incomplete fix of SB2012050302 (CVE-2012-0516).

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Note, this product is no longer supported by the vendor.

Vulnerable software versions

Sun ONE/iPlanet Web Server: 7.0

External links
https://www.oracle.com/support/lifetime-support/
https://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf
https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracles iPlanet Web Server