IBM Support

Security Bulletin: WebSphere Dashboard Framework contains a vulnerability that
allows file access and deletion.

Security Bulletin


Summary

WebSphere Dashboard Framework contains a vulerability in a charting feature
used to access and delete generated images in a temporary folder. A fix has been created
that removes the vulnerability.

Vulnerability Details

WebSphere Dashboard Framework contains a vulnerability in a charting feature used to
access and delete generated images in a temporary folder. In general this charting feature
would be protected by security constraints that limit its use to authenticated users.
However, it is possible that customers may misconfigure these security constraints
allowing unauthenticated access to the feature. It's also possible that an authenticated yet
malicious user could employ the feature to retrieve and delete files.

CVE ID: CVE-2013-6728
Description: WebSphere Dashboard Framework contains a vulnerability that allows file
access and deletion.


CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89283 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:N)

Affected Products and Versions

WebSphere Dashboard Framework versions 6.1.5 and 7.0.1.

Remediation/Fixes

For WDF 6.1.5 install APAR LO78265. For WDF 7.0.1 install APAR LO78266. These
APARs can be obtained from IBM support.

Workarounds and Mitigations

none

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

17 January 2014: Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately
impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability
in their environments by accessing the links in the References section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to
convey vulnerability severity and help to determine urgency and priority of response."
IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY
KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE
FOR ASSESSING THE IMPACT

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSUMNA","label":"WebSphere Dashboard Framework"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.0.1;6.1.5","Edition":"All Editions","Line of Business":{"code":"LOB31","label":"WCE Watson Marketing and Commerce"}}]

Document Information

Modified date:
11 February 2020

UID

swg21663022

Page Feedback