CVE-2004-0928

The Microsoft IIS Connector in JRun 4.0 and Macromedia ColdFusion MX 6.0, 6.1, and 6.1 J2EE allows remote attackers to bypass authentication and view source files, such as .asp, .pl, and .php files, via an HTTP request that ends in ";.cfm".

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.idefense.com/application/poi/display?id=148&type=vulnerabilities	Patch Vendor Advisory
http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html	Patch Vendor Advisory
http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html	Patch Vendor Advisory
http://www.kb.cert.org/vuls/id/977440	Patch Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/11245	Patch Vendor Advisory
http://secunia.com/advisories/12638/	Patch Vendor Advisory
http://secunia.com/advisories/12647/	Patch Vendor Advisory
http://marc.info/?l=bugtraq&m=109621995623823&w=2
https://exchange.xforce.ibmcloud.com/vulnerabilities/17484

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hitachi:cosminexus_enterprise:01_02_2::enterprise:::::
	cpe:2.3:a:hitachi:cosminexus_enterprise:01_02_2::standard:::::
	cpe:2.3:a:macromedia:jrun:4.0:::::::*
	cpe:2.3:a:hitachi:cosminexus_enterprise:01_01_1::enterprise:::::
	cpe:2.3:a:hitachi:cosminexus_enterprise:01_01_1::standard:::::
	cpe:2.3:a:macromedia:jrun:3.0:::::::*
	cpe:2.3:a:macromedia:jrun:3.1:::::::*
	cpe:2.3:a:hitachi:cosminexus_server:web_01-01_1:::::::*
	cpe:2.3:a:hitachi:cosminexus_server:web_01-01_2:::::::*
	cpe:2.3:a:macromedia:coldfusion:6.0:::::::*
	cpe:2.3:a:macromedia:coldfusion:6.1:::::::*

Information

Published : 2004-10-05 04:00

Updated : 2017-07-11 01:30

NVD link : CVE-2004-0928

Mitre link : CVE-2004-0928

JSON object : View

Products Affected

macromedia

jrun
coldfusion

hitachi

cosminexus_enterprise
cosminexus_server

CWE

NVD-CWE-Other

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.idefense.com/application/poi/display?id=148&type=vulnerabilities", "name": "20041005 ColdFusion MX 6.1 on IIS File Contents Disclosure", "tags": ["Patch", "Vendor Advisory"], "refsource": "IDEFENSE"}, {"url": "http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html", "name": "http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html", "name": "http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.kb.cert.org/vuls/id/977440", "name": "VU#977440", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "refsource": "CERT-VN"}, {"url": "http://www.securityfocus.com/bid/11245", "name": "11245", "tags": ["Patch", "Vendor Advisory"], "refsource": "BID"}, {"url": "http://secunia.com/advisories/12638/", "name": "12638", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/12647/", "name": "12647", "tags": ["Patch", "Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://marc.info/?l=bugtraq&m=109621995623823&w=2", "name": "20040923 New Macromedia Security Zone Bulletins Posted", "tags": [], "refsource": "BUGTRAQ"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17484", "name": "coldfusion-jrun-restriction-bypass(17484)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Microsoft IIS Connector in JRun 4.0 and Macromedia ColdFusion MX 6.0, 6.1, and 6.1 J2EE allows remote attackers to bypass authentication and view source files, such as .asp, .pl, and .php files, via an HTTP request that ends in \";.cfm\"."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2004-0928", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2004-10-05T04:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:hitachi:cosminexus_enterprise:01_02_2:*:enterprise:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hitachi:cosminexus_enterprise:01_02_2:*:standard:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:macromedia:jrun:4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hitachi:cosminexus_enterprise:01_01_1:*:enterprise:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hitachi:cosminexus_enterprise:01_01_1:*:standard:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:macromedia:jrun:3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:macromedia:jrun:3.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hitachi:cosminexus_server:web_01-01_1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:hitachi:cosminexus_server:web_01-01_2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:macromedia:coldfusion:6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:macromedia:coldfusion:6.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-07-11T01:30Z"}