JVNDB-2016-000098

TERASOLUNA Server Framework for Java(WEB) access restriction bypass vulnerability in the file extention filter

The TERASOLUNA Server Framework for Java(WEB) provided by NTT Data Corporation is a software framework for creating web applications. The TERASOLUNA Server Framework for Java(WEB) has a function to restrict access to contents with specified file extentions from browser requests. This function may be bypassed when a specially crafted path is received.

NTT Data Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and NTT Data Corporation coordinated under the Information Security Early Warning Partnership.

NTT DATA

• TERASOLUNA Server Framework for Java(Web) versions 2.0.0.1 through 2.0.6.1

Effects vary depending on the web application. For example, a remote attacker may obtain information on the server where the product resides.

[Apply the update module]
The developer has released an update module (PI-SJW-261-1) for TERASOLUNA Server Framework for Java(WEB) versions 2.0.0.1 through 2.0.6.1.
Apply the update module according to the information provided by the developer.

NTT DATA

• NTT DATA Corporation : TERASOLUNA Framework (in Japanese)

FUJITSU

• FUJITSU : CVE-2016-1183(JVN#74659077) (in Japanese)

1. Permissions(CWE-264) [IPA Evaluation]

1. CVE-2016-1183

1. JVN : JVN#74659077
2. National Vulnerability Database (NVD) : CVE-2016-1183

• [2016/06/07]
    Web page was published
  [2016/06/27]
    References : Content was added