IBM Eclipse Help System multiple products URL source code disclosure

iehs-cve20130467-source-disclosure (81102) The risk level is classified as MediumMedium Risk

Description:

IBM Eclipse Help System, as used in multiple IBM products, could allow a remote attacker to obtain sensitive information. An attacker could send a specially-crafted URL to view source code on the help system server.

*CVSS:

Base Score: 4
  Access Vector: Network
  Access Complexity: Low
  Authentication: Single
  Confidentiality Impact: Partial
  Integrity Impact: None
  Availability Impact: None
 
Temporal Score: 3.5
  Exploitability: High
  Remediation Level: Official-Fix
  Report Confidence: Confirmed

Consequences:

Obtain Information

Remedy:

Refer to the appropriate IBM Security Bulletin for patch, upgrade or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system.

References:

  • IBM Security Bulletin 1612193: Open Redirect and Cross-Site Scripting Vulnerabilities in the locally installable IBM DB2 Information Center (CVE-2012-2159, CVE-2012-2161, CVE-2013-0467).
  • IBM Security Bulletin 1625573: Open redirect and cross-site scripting vulnerabilities in the IBM Data Studio help system (CVE-2012-2159, CVE-2012-2161, CVE-2013-0467).
  • IBM Security Bulletin 1631825: IBM InfoSphere Information Server Suite: Source disclosure in InfoSphere information Server¿s Help System (CVE-2013-0467).
  • IBM Security Bulletin 1637954: Vulnerability in IBM SPSS Data Collection due to issues in Eclipse Help System (CVE-2013-0464, CVE-2013-0467).
  • IBM Security Bulletin 1639856: Vulnerabilities in IBM Rational Insight¿s Help System (CVE-2013-0464, CVE-2013-0467 & CVE-2013-0599).
  • IBM Security Bulletin 1640230: Source disclosure in IBM InfoSphere Identity Insight¿s Help System (CVE-2013-0467).
  • IBM Security Bulletin 1640616: IBM OmniFind Enterprise Edition and IBM Content Analytics (CVE-2013-0599, CVE-2013-0464, CVE-2013-0467).
  • IBM Security Bulletin 1640654: Vulnerability in IBM Rational ClearQuest Help System (CVE-2013-0467 & CVE-2013-0599).
  • IBM Security Bulletin 1647392: IBM Security SiteProtector System can be affected by a vulnerability in the IBM Eclipse Help System (IEHS) (CVE-2013-0467).
  • IBM Security Bulletin 1649664: IBM Rational Change can be affected by vulnerabilities in the IBM Eclipse Help System (IEHS) (CVE-2013-0464 and CVE-2013-0467).
  • IBM Security Bulletin 1649711: Vulnerabilities in IBM Rational Synergy's Help System (CVE-2013-0464, CVE-2013-0467 & CVE-2013-0599).
  • IBM Security Bulletin 1651414: Multiple security vulnerabilities in IEHS.
  • IBM Security Bulletin 1651947: Multiple IBM Eclipse Help System (IEHS) vulnerabilities used in IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2013-0599, CVE-2013-0464, CVE-2013-0467).
  • IBM Security Bulletin 1662870: Multiple security vulnerabilities exist in WebSphere Transformation Extender (CVE-2013-5802 CVE-2013-4002 CVE-2013-5825 CVE-2013-5372 CVE-2013-0599 CVE-2013-0464 CVE-2013-0467 CVE-2013-2962 CVE-2013-2415).
  • IBM Security Bulletin 1670753: Fix available for security vulnerabilities related to IEHS in IBM WebSphere Portal (multiple CVEs).
  • IBM Security Bulletin 1681229: Fix available for security vulnerabilities related to IEHS in IBM Sametime Meetings and Proxy version 9 (multiple CVEs).
  • IBM Security Bulletin 4035098: IBM Integrated Information Core 1.5.0.1 interim fix for APAR JR46837.
  • BID-58000: IBM Eclipse Help System CVE-2013-0467 Information Disclosure Vulnerability
  • CVE-2013-0467: IBM Eclipse Help System (IEHS), as used in IBM Data Studio 3.1 and 3.1.1 and other products, allows remote authenticated users to read source code via a crafted URL.
  • SA52175: IBM Data Studio Help System Multiple Vulnerabilities
  • SA52489: IBM DB2 Information Center IEHS Multiple Vulnerabilities
  • SA53653: IBM SPSS Data Collection Eclipse Help System Weakness and Vulnerability
  • SA53764: IBM InfoSphere Identity Insight Eclipse Help System Information Disclosure Weakness
  • SA53776: IBM Integrated Information Core Eclipse Help System Weakness and Vulnerability
  • SA54177: IBM Content Manager Enterprise Edition Eclipse Help System Multiple Vulnerabilities

Platforms Affected:

  • IBM Content Analytics 2.2
  • IBM Content Analytics 2.2.0.1
  • IBM Content Analytics 2.2.0.2
  • IBM Content Analytics 2.2.0.3
  • IBM Content Analytics with Enterprise Search 3.0
  • IBM Content Analytics with Enterprise Search 3.0.0.1
  • IBM Content Analytics with Enterprise Search 3.0.0.2
  • IBM Data Studio 3.1
  • IBM Data Studio 3.1.1
  • IBM DB2 Information Center 10.1
  • IBM DB2 Information Center 9
  • IBM DB2 Information Center 9.5
  • IBM DB2 Information Center 9.7
  • IBM Eclipse Help System
  • IBM InfoSphere Identity Insight 8.0
  • IBM InfoSphere Identity Insight 8.1
  • IBM InfoSphere Information Server 8.0
  • IBM InfoSphere Information Server 8.1
  • IBM InfoSphere Information Server 8.5
  • IBM InfoSphere Information Server 8.7
  • IBM Integrated Information Core 1.5.0.1
  • IBM License Metric Tool 7.5
  • IBM OmniFind Enterprise Edition 9.1
  • IBM OmniFind Enterprise Edition 9.1.0.1
  • IBM OmniFind Enterprise Edition 9.1.0.2
  • IBM OmniFind Enterprise Edition 9.1.0.3
  • IBM OmniFind Enterprise Edition 9.1.0.4
  • IBM Rational Change 5.3.0.5
  • IBM Rational ClearQuest 7.1
  • IBM Rational ClearQuest 8.0
  • IBM Rational Insight 1.0
  • IBM Rational Insight 1.0.0.1
  • IBM Rational Insight 1.0.0.2
  • IBM Rational Insight 1.0.1
  • IBM Rational Insight 1.0.1.1
  • IBM Rational Insight 1.1
  • IBM Rational Insight 1.1.1
  • IBM Rational Insight 1.1.1.1
  • IBM Rational Synergy 7.2.0.4
  • IBM Sametime 9.0
  • IBM Sametime 9.0.0.1
  • IBM Security SiteProtector System 2.8.1
  • IBM Security SiteProtector System 2.9
  • IBM SPSS Data Collection 6.0
  • IBM SPSS Data Collection 6.0.1
  • IBM SPSS Data Collection 7.0
  • IBM Tivoli Asset Discovery for Distributed 7.5
  • IBM WebSphere MQ 7.0
  • IBM WebSphere MQ 7.0.0.1
  • IBM WebSphere MQ 7.0.0.2
  • IBM WebSphere MQ 7.0.1
  • IBM WebSphere MQ 7.0.1.1
  • IBM WebSphere MQ 7.0.1.10
  • IBM WebSphere MQ 7.0.1.2
  • IBM WebSphere MQ 7.0.1.3
  • IBM WebSphere MQ 7.0.1.4
  • IBM WebSphere MQ 7.0.1.5
  • IBM WebSphere MQ 7.0.1.6
  • IBM WebSphere MQ 7.0.1.7
  • IBM WebSphere MQ 7.0.1.8
  • IBM WebSphere MQ 7.0.1.9
  • IBM WebSphere MQ 7.0.2
  • IBM WebSphere MQ 7.0.3
  • IBM WebSphere MQ 7.0.4
  • IBM WebSphere MQ 7.0.4.1
  • IBM WebSphere MQ 7.0.4.2
  • IBM WebSphere MQ 7.0.4.3
  • IBM WebSphere MQ 7.1
  • IBM WebSphere MQ 7.1.0.1
  • IBM WebSphere MQ 7.1.0.2
  • IBM WebSphere MQ 7.1.0.3
  • IBM WebSphere MQ 7.5
  • IBM WebSphere MQ 7.5.0.1
  • IBM WebSphere MQ 7.5.0.2
  • IBM WebSphere MQ File Transfer Edition 7.0
  • IBM WebSphere MQ File Transfer Edition 7.0.0.1
  • IBM WebSphere MQ File Transfer Edition 7.0.0.2
  • IBM WebSphere MQ File Transfer Edition 7.0.1
  • IBM WebSphere MQ File Transfer Edition 7.0.1.1
  • IBM WebSphere MQ File Transfer Edition 7.0.1.10
  • IBM WebSphere MQ File Transfer Edition 7.0.1.2
  • IBM WebSphere MQ File Transfer Edition 7.0.1.3
  • IBM WebSphere MQ File Transfer Edition 7.0.1.4
  • IBM WebSphere MQ File Transfer Edition 7.0.1.5
  • IBM WebSphere MQ File Transfer Edition 7.0.1.6
  • IBM WebSphere MQ File Transfer Edition 7.0.1.7
  • IBM WebSphere MQ File Transfer Edition 7.0.1.8
  • IBM WebSphere MQ File Transfer Edition 7.0.1.9
  • IBM WebSphere MQ File Transfer Edition 7.0.2
  • IBM WebSphere MQ File Transfer Edition 7.0.3
  • IBM WebSphere MQ File Transfer Edition 7.0.4
  • IBM WebSphere MQ File Transfer Edition 7.0.4.1
  • IBM WebSphere MQ File Transfer Edition 7.0.4.2
  • IBM WebSphere MQ File Transfer Edition 7.0.4.3
  • IBM WebSphere MQ File Transfer Edition 7.1
  • IBM WebSphere MQ File Transfer Edition 7.1.0.1
  • IBM WebSphere MQ File Transfer Edition 7.1.0.2
  • IBM WebSphere MQ File Transfer Edition 7.1.0.3
  • IBM WebSphere MQ File Transfer Edition 7.5
  • IBM WebSphere MQ File Transfer Edition 7.5.0.1
  • IBM WebSphere MQ File Transfer Edition 7.5.0.2
  • IBM WebSphere Portal 6.1
  • IBM WebSphere Portal 7.0
  • IBM WebSphere Portal 8.0
  • IBM WebSphere Transformation Extender Design Studio
  • IBM WebSphere Transformation Extender for Application Programming
  • IBM WebSphere Transformation Extender for Integration Servers
  • IBM WebSphere Transformation Extender for Luncher Hypervisor
  • IBM WebSphere Transformation Extender with Command Server
  • IBM WebSphere Transformation Extender with Launcher

Reported:

Feb 15, 2013

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.