[VIM] CVE-2007-5944 vs CVE-2006-3918

Steven M. Christey coley at linus.mitre.org
Wed Nov 21 00:34:58 UTC 2007

> Is the XSS issue covered by CVE-2007-5944 any different from that in
> CVE-2006-3918? Both arise from a failure to filter user-supplied input
> passed via an Expect header.

CVE-wise, we'll do separate identifiers for separate

These do look pretty similar.  So, the only question is whether WebSphere
Web Application server is built on top of Apache or not - my sense is that
it isn't (except maybe a community edition), although
suggests strong support for Apache as a plugin (via IBM HTTP Server, which
is "powered by apache").

Current CVE analysis is:

  ABSTRACTION: CVE-2006-3918 is for Apache.  This is based on IBM
  documents that mention WebSphere Application Server (WAS).  WAS can
  install an IBM HTTP Server plug-in, which is based on Apache, but it can
  also install separate products.  It is not clear whether WAS implements
  its own functionality that has the Expect header issue, or whether it's
  "inheriting" it from the web servers that it uses.

I've made a note of the possible dupe.

- Steve

More information about the VIM mailing list