CVE-2009-2445

EXPLOITED

Oracle iPlanet Web Server <7.0 - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2009-2445 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

Oracle iPlanet Web Server (formerly Sun Java System Web Server or Sun ONE Web Server) 6.1 before SP12, and 7.0 through Update 6, when running on Windows, allows remote attackers to read arbitrary JSP files via an alternate data stream syntax, as demonstrated by a .jsp::$DATA URI.

References (8)

Core 8

Core References

Third Party Advisory third-party-advisory x_refsource_jvn

http://jvn.jp/en/jp/JVN47124169/index.html

Vendor Advisory vendor-advisory x_refsource_sunalert

http://sunsolve.sun.com/search/document.do?assetkey=1-26-266429-1

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/35701

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/1786

Third Party Advisory third-party-advisory x_refsource_jvndb

http://jvndb.jvn.jp/jvndb/JVNDB-2009-002069

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/55655

Exploit vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1022511

Exploit x_refsource_misc

http://isowarez.de/SunOne_Webserver.txt

Scores

EPSS 0.0078

EPSS Percentile 73.9%

Details

VulnCheck KEV 2024-05-07

CWE

CWE-200

Status published

Products (2)

sun/java_system_web_server 6.1 (9 CPE variants)

sun/java_system_web_server 7.0 update_5 (2 CPE variants)

Published Jul 13, 2009

Tracked Since Feb 18, 2026