CVE-2015-2017 — Path Traversal in IBM Websphere Application Server

CWE-22 — Path Traversal CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-346 — Origin Validation Error29 documents12 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 42.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Websphere Application Server

Timeline

PublishedNov 8

Latest updateOct 1

Description

CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.12, and 8.5 before 8.5.5.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDibm/websphere_application_server84 versions+83

🔴Vulnerability Details

OSV

libmspack vulnerabilities↗2025-10-01

▶

OSV

nova vulnerabilities↗2023-02-13

▶

GHSA

GHSA-8r6c-52gg-72c8: CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 6↗2022-05-17

▶

OSV

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities↗2018-02-22

▶

CVEList

CVE-2015-2017: CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 6↗2015-11-08

▶

📋Vendor Advisories

Red Hat

kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary↗2017-09-26

▶

Red Hat

cpio: --no-absolute-filenames bypass via symlinks↗2017-06-05

▶

Microsoft

avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link which allows remote attackers to cause a denial of service (traff↗2017-05-09

▶

Red Hat

salt: local_batch client external authentication not respected↗2017-01-20

▶

Red Hat

salt: Salt-api allows arbitrary command execution on a salt-master via Salt's ssh_client↗2017-01-20

▶

🕵️Threat Intelligence

Fortinet

The Analysis of Apache Struts 1 Form Field Input Validation Bypass (CVE-2015-0899)↗2017-10-25

▶

💬Community

Bugzilla

CVE-2015-9099 CVE-2015-9100 CVE-2017-11720 CVE-2017-13712 CVE-2017-15018 CVE-2017-15019 CVE-2017-15045 CVE-2017-15046 CVE-2017-9410 CVE-2017-9411 CVE-2017-9412 CVE-2017-8419 lame: Multiple vulnerabili↗2017-07-12

▶

Bugzilla

CVE-2016-10229 kernel: net: Unsafe second checksum calculation in udp.c↗2017-04-06

▶

Bugzilla

CVE-2015-8870 libtiff: Integer overflow in tools/bmp2tiff.c↗2016-12-08

▶