Description
IBM WebSphere Application Server 6.0 and earlier, when sharing the document root of the web server, allows remote attackers to obtain the source code for Java Server Pages (.jsp) via an HTTP request with an invalid Host header, which causes the page to be processed by the web server instead of the JSP engine.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by SPI Labs · textremotemultiple
https://www.exploit-db.com/exploits/25420
References (6)
Core 6
Core References
Mailing List mailing-list
x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=111342594129109&w=2
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/20099
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/15501
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/13160
Vendor Advisory vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1013697
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/14962
Scores
EPSS
0.1215
EPSS Percentile
93.9%
Details
Status
published
Products (20)
ibm/websphere_application_server
5.0
ibm/websphere_application_server
5.0.1
ibm/websphere_application_server
5.0.2
ibm/websphere_application_server
5.0.2.1
ibm/websphere_application_server
5.0.2.3
ibm/websphere_application_server
5.0.2.4
ibm/websphere_application_server
5.0.2.5
ibm/websphere_application_server
5.0.2.6
ibm/websphere_application_server
5.0.2.7
ibm/websphere_application_server
5.0.2.8
... and 10 more
Published
May 02, 2005
Tracked Since
Feb 18, 2026