ID CVE-2004-0917 Type cve Reporter NVD Modified 2017-07-10T21:30:34
Description
The default installation of Vignette Application Portal installs the diagnostic utility without authentication requirements, which allows remote attackers to gain sensitive information, such as server and OS version, and conduct unauthorized activities via an HTTP request to /diag.
{"id": "CVE-2004-0917", "bulletinFamily": "NVD", "title": "CVE-2004-0917", "description": "The default installation of Vignette Application Portal installs the diagnostic utility without authentication requirements, which allows remote attackers to gain sensitive information, such as server and OS version, and conduct unauthorized activities via an HTTP request to /diag.", "published": "2005-01-27T00:00:00", "modified": "2017-07-10T21:30:34", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0917", "reporter": "NVD", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/17530", "http://www.securityfocus.com/bid/11267", "http://securitytracker.com/id?1011447", "http://www.atstake.com/research/advisories/2004/a092804-1.txt"], "cvelist": ["CVE-2004-0917"], "type": "cve", "lastseen": "2017-07-11T11:14:29", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:vignette:application_portal"], "cvelist": ["CVE-2004-0917"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "description": "The default installation of Vignette Application Portal installs the diagnostic utility without authentication requirements, which allows remote attackers to gain sensitive information, such as server and OS version, and conduct unauthorized activities via an HTTP request to /diag.", "edition": 1, "enchantments": {}, "hash": "dd547543187f6d0b1708e8158ef4bd55bb645af97065e29e37117325f619faaf", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "6fec833fc8468473e15f9a2cccfe950a", "key": "href"}, {"hash": "09723b537d2e286cace95d16ace14c36", "key": "cpe"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "ee82f5a44f1a57e474ccba6301167262", "key": "title"}, {"hash": "2102aea0f3c1ac2cf7204854ab26710d", "key": "cvelist"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "a792e2393dff1e200b885c5245988f6f", "key": "cvss"}, {"hash": "ee48ed599cf6b52521495c50881cab1f", "key": "modified"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "5ab3406b7d5a24c766491e2467ee4d5d", "key": "published"}, {"hash": "90f3c8adc3b2231350ca0471568e8c33", "key": "references"}, {"hash": "2e92a298b0f8056600ea318884062ebb", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0917", "id": "CVE-2004-0917", "lastseen": "2016-09-03T04:29:33", "modified": "2008-09-05T16:39:46", "objectVersion": "1.2", "published": "2005-01-27T00:00:00", "references": ["http://www.securityfocus.com/bid/11267", "http://securitytracker.com/id?1011447", "http://xforce.iss.net/xforce/xfdb/17530", "http://www.atstake.com/research/advisories/2004/a092804-1.txt"], "reporter": "NVD", "scanner": [], "title": "CVE-2004-0917", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T04:29:33"}], "edition": 2, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "09723b537d2e286cace95d16ace14c36"}, {"key": "cvelist", "hash": "2102aea0f3c1ac2cf7204854ab26710d"}, {"key": "cvss", "hash": "a792e2393dff1e200b885c5245988f6f"}, {"key": "description", "hash": "2e92a298b0f8056600ea318884062ebb"}, {"key": "href", "hash": "6fec833fc8468473e15f9a2cccfe950a"}, {"key": "modified", "hash": "0261fd53f8823fd8f441eef4e83f7ab1"}, {"key": "published", "hash": "5ab3406b7d5a24c766491e2467ee4d5d"}, {"key": "references", "hash": "5768072a5eb7d0cf5dfe2862a6568d45"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "ee82f5a44f1a57e474ccba6301167262"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "8d9b93feb49e9316c273d361eaa24fb828087c44ac292a8e157b4f30ce57297b", "viewCount": 0, "enchantments": {"vulnersScore": 5.0}, "objectVersion": "1.3", "cpe": ["cpe:/a:vignette:application_portal"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"result": {"osvdb": [{"id": "OSVDB:10405", "type": "osvdb", "title": "Vignette Application Portal Diagnostic Utility Information Disclosure", "description": "## Vulnerability Description\nVignette Application Portal Diagnostic Utility contains a flaw of by default it is accessible to anyone that may lead to an unauthorized information disclosure. The issue is triggered when a user makes a certain web request, which will disclose application server and OS versions, database connection parameters, and bean IDs used for accessing portal resources, resulting in a loss of confidentiality.\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Restrict access to the diag directory on the web server or application server.\n## Short Description\nVignette Application Portal Diagnostic Utility contains a flaw of by default it is accessible to anyone that may lead to an unauthorized information disclosure. The issue is triggered when a user makes a certain web request, which will disclose application server and OS versions, database connection parameters, and bean IDs used for accessing portal resources, resulting in a loss of confidentiality.\n## References:\nVendor URL: http://www.vignette.com/\nSecurity Tracker: 1011447\n[Secunia Advisory ID:12676](https://secuniaresearch.flexerasoftware.com/advisories/12676/)\nOther Advisory URL: http://www.atstake.com/research/advisories/2004/a092804-1.txt\nISS X-Force ID: 17530\n[CVE-2004-0917](https://vulners.com/cve/CVE-2004-0917)\nBugtraq ID: 11267\n", "published": "2004-09-28T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:10405", "cvelist": ["CVE-2004-0917"], "lastseen": "2017-04-28T13:20:05"}], "nessus": [{"id": "VIGNETTE_DIAG_DISCLOSURE.NASL", "type": "nessus", "title": "Vignette Application Portal Diagnostic Utility Information Disclosure", "description": "The remote host is running Vignette Application Portal, a commercially available portal suite.\n\nThere is an information disclosure vulnerability in the remote version of this software. An attacker can request the diagnostic utility which will disclose information about the remote site by requesting /portal/diag/.", "published": "2004-09-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=14847", "cvelist": ["CVE-2004-0917"], "lastseen": "2016-09-26T17:24:38"}]}}
