WaveMaker < 6.4.6 Security Bypass

High Nessus Plugin ID 60063

Synopsis

A web development application hosted on the remote web server has a security bypass vulnerability.

Description

According to its self-reported version number, the version of WaveMaker installed on the remote host has a security bypass vulnerability. Any projects deployed with WaveMaker Studio before 6.4.6 are affected by this vulnerability. A remote attacker could exploit this by requesting project services using unspecified URLs.

Solution

Upgrade to WaveMaker 6.4.6 or later.

Existing projects should be redeployed by WaveMaker Studio 6.4.6 or later in order to address this issue. If redeployment is not possible, consider the workaround referenced in the WaveMaker 6.4.6 release notes.

See Also

http://www.nessus.org/u?32760b3d

http://dev.wavemaker.com/wiki/bin/wmdoc_6.4/WM646RelNotes

Plugin Details

Severity: High

ID: 60063

File Name: wavemaker_studio_security_bypass.nasl

Version: 1.5

Type: remote

Family: CGI abuses

Published: 2012/07/19

Updated: 2018/08/08

Dependencies: 60061

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: x-cpe:/a:vmware:wavemaker

Required KB Items: www/wavemaker_studio

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2012/06/22

Vulnerability Publication Date: 2012/06/22

Reference Information

BID: 54196