Oracle GlassFish Server 3.0.1 < 3.0.1.7 / 3.1.2 < 3.1.2.5 Multiple Vulnerabilities (April 2013 CPU)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by multiple vulnerabilities.

Description :

The version of GlassFish Server running on the remote host is affected
by multiple vulnerabilities :

- Cross-site scripting (XSS) vulnerabilities exist in its
admin and rest interface. These vulnerabilities permit
JavaScript to be run in the context of GlassFish, which
may result in credentials of authenticated users being
stolen. (CVE-2013-1508, CVE-2013-1515)

- A cross-site request forgery (CSRF) vulnerability exists
in its REST interface. An authenticated user may be
tricked into visiting a web page that leverages this
vulnerability.

- A JSF source exposure vulnerability exists that affects
confidentiality.

See also :

http://www.nessus.org/u?028971b4
http://www.nessus.org/u?5ddb666a

Solution :

Upgrade to GlassFish Server 3.0.1.7 / 3.1.2.5 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.2
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Web Servers

Nessus Plugin ID: 66804 ()

Bugtraq ID: 59143
59151

CVE ID: CVE-2013-1508
CVE-2013-1515