| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complex
ity
|
Authen
tication
|
Confiden
tiality
|
Integrity
|
Availa
bility
|
|
1 |
CVE-2012-2162 |
310 |
|
+Info |
2012-05-01 |
2012-05-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HTTP communication after expiration of the plugin-key.kdb password, which allows remote attackers to obtain sensitive information by sniffing the network, or spoof arbitrary servers via a man-in-the-middle attack. |
|
2 |
CVE-2012-0707 |
79 |
|
XSS |
2012-02-23 |
2012-03-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM WebSphere Lombardi Edition 7.2 allows remote attackers to inject arbitrary web script or HTML via crafted text input to a coach that is configured with a document attachment control section. |
|
3 |
CVE-2012-0193 |
20 |
|
DoS |
2012-01-19 |
2012-01-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM WebSphere Application Server (WAS) 6.0 through 6.0.2.43, 6.1 before 6.1.0.43, 7.0 before 7.0.0.23, and 8.0 before 8.0.0.3 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. |
|
4 |
CVE-2011-5066 |
200 |
|
+Info |
2012-01-14 |
2012-02-08 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 does not properly handle a Service Integration Bus (SIB) dump operation involving the First Failure Data Capture (FFDC) introspection code, which allows local users to obtain sensitive information by reading the FFDC log file. |
|
5 |
CVE-2011-5065 |
79 |
|
XSS |
2012-01-14 |
2012-02-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 allows remote attackers to inject arbitrary web script or HTML via vectors related to web messaging. |
|
6 |
CVE-2011-1683 |
264 |
|
|
2011-04-13 |
2011-04-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server (WAS) 6.0.x through 6.0.2.43, 6.1.x before 6.1.0.37, and 7.0.x before 7.0.0.17 on z/OS, when a Local OS user registry or Federated Repository with RACF adapter is used, allows remote attackers to obtain unspecified application access via unknown vectors. |
|
7 |
CVE-2011-1377 |
|
|
|
2012-01-14 |
2012-01-17 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Web Services Security component in the Web Services Feature Pack before 6.1.0.41 for IBM WebSphere Application Server (WAS) 6.1 does not properly handle the enabling of WS-Security for a JAX-WS application, which has unspecified impact and attack vectors. |
|
8 |
CVE-2011-1376 |
264 |
|
|
2012-01-19 |
2012-01-19 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
iscdeploy in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.43, 7.0 before 7.0.0.21, and 8.0 before 8.0.0.2 on the IBM i platform sets weak permissions under systemapps/isclite.ear/ and bin/client_ffdc/, which allows local users to read or modify files via standard filesystem operations. |
|
9 |
CVE-2011-1368 |
200 |
|
+Info |
2011-10-29 |
2012-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The JavaServer Faces (JSF) application functionality in IBM WebSphere Application Server 8.x before 8.0.0.1 does not properly handle requests, which allows remote attackers to read unspecified files via unknown vectors. |
|
10 |
CVE-2011-1362 |
79 |
|
XSS |
2012-01-14 |
2012-02-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in the Install component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 and 7.0 before 7.0.0.19 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1308. |
|
11 |
CVE-2011-1359 |
22 |
|
Dir. Trav. |
2011-09-06 |
2011-09-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the administration console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41, 7.0 before 7.0.0.19, and 8.0 before 8.0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. |
|
12 |
CVE-2011-1356 |
200 |
|
+Info |
2011-07-19 |
2011-07-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows local users to obtain sensitive stack-trace information via a crafted Administration Console request. |
|
13 |
CVE-2011-1355 |
20 |
|
|
2011-07-19 |
2011-07-25 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Open redirect vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the logoutExitPage parameter. |
|
14 |
CVE-2011-1322 |
399 |
|
DoS |
2011-03-08 |
2011-03-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The SOAP with Attachments API for Java (SAAJ) implementation in the Web Services component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) via encrypted SOAP messages. |
|
15 |
CVE-2011-1321 |
264 |
|
+Priv |
2011-03-08 |
2011-03-10 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The AuthCache purge implementation in the Security component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x before 7.0.0.15 does not purge a user from the PlatformCredential cache, which might allow remote authenticated users to gain privileges by leveraging a group membership specified in an old RACF Object (aka RACO). |
|
16 |
CVE-2011-1320 |
20 |
|
|
2011-03-08 |
2011-03-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Security component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x before 7.0.0.15, when the Tivoli Integrated Portal / embedded WebSphere Application Server (TIP/eWAS) framework is used, does not properly delete AuthCache entries upon a logout, which might allow remote attackers to access the server by leveraging an unattended workstation. |
|
17 |
CVE-2011-1319 |
399 |
|
DoS |
2011-03-08 |
2011-03-30 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The Security component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x before 7.0.0.15 allows remote authenticated users to cause a denial of service (memory consumption) by using a Lightweight Third-Party Authentication (LTPA) token for authentication. |
|
18 |
CVE-2011-1318 |
399 |
|
DoS |
2011-03-08 |
2011-03-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in org.apache.jasper.runtime.JspWriterImpl.response in the JavaServer Pages (JSP) component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) by accessing a JSP page of an application that is repeatedly stopped and restarted. |
|
19 |
CVE-2011-1317 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in com.ibm.ws.jsp.runtime.WASJSPStrBufferImpl in the JavaServer Pages (JSP) component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) by sending many JSP requests that trigger large responses. |
|
20 |
CVE-2011-1316 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Session Initiation Protocol (SIP) Proxy in the HTTP Transport component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (worker thread exhaustion and UDP messaging outage) by sending many UDP messages. |
|
21 |
CVE-2011-1315 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in the messaging engine in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) via network connections associated with a NULL return value from a synchronous JMS receive call. |
|
22 |
CVE-2011-1314 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Service Integration Bus (SIB) messaging engine in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (daemon hang) by performing close operations via network connections to a queue manager. |
|
23 |
CVE-2011-1313 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Double free vulnerability in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x before 7.0.0.15 allows remote backend IIOP servers to cause a denial of service (S0C4 ABEND and storage corruption) by rejecting IIOP requests at opportunistic time instants, as demonstrated by requests associated with an ORB_Request::getACRWorkElementPtr function call. |
|
24 |
CVE-2011-1312 |
264 |
|
Bypass |
2011-03-08 |
2011-04-07 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.31 and 7.x before 7.0.0.15 does not prevent modifications of the primary admin id, which allows remote authenticated administrators to bypass intended access restrictions by mapping a (1) user or (2) group to an administrator role. |
|
25 |
CVE-2011-1311 |
264 |
|
+Priv |
2011-03-08 |
2011-04-07 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
The Security component in IBM WebSphere Application Server (WAS) before 7.0.0.15, when a J2EE 1.4 application is used, determines the security role mapping on the basis of the ibm-application-bnd.xml file instead of the intended ibm-application-bnd.xmi file, which might allow remote authenticated users to gain privileges in opportunistic circumstances by requesting a service. |
|
26 |
CVE-2011-1310 |
200 |
|
+Info |
2011-03-08 |
2011-04-07 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The Administrative Scripting Tools component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x before 7.0.0.15, when tracing is enabled, places wsadmin command parameters into the (1) wsadmin.traceout and (2) trace.log files, which allows local users to obtain potentially sensitive information by reading these files. |
|
27 |
CVE-2011-1309 |
20 |
|
|
2011-03-08 |
2011-04-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Plug-in component in IBM WebSphere Application Server (WAS) before 7.0.0.15 does not properly handle trace requests, which has unspecified impact and attack vectors. |
|
28 |
CVE-2011-1308 |
79 |
|
XSS |
2011-03-08 |
2011-03-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in the Install component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
29 |
CVE-2011-1307 |
264 |
|
|
2011-03-08 |
2011-04-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The installer in IBM WebSphere Application Server (WAS) before 7.0.0.15 uses 777 permissions for a temporary log directory, which allows local users to have unintended access to log files via standard filesystem operations, a different vulnerability than CVE-2009-1173. |
|
30 |
CVE-2011-1209 |
310 |
|
|
2011-05-04 |
2011-05-31 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.17 uses a weak WS-Security XML encryption algorithm, which makes it easier for remote attackers to obtain plaintext data from a (1) JAX-RPC or (2) JAX-WS Web Services request via unspecified vectors related to a "decryption attack." |
|
31 |
CVE-2011-0316 |
264 |
|
+Info |
2011-01-11 |
2011-03-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 does not properly restrict access to console servlets, which allows remote attackers to obtain potentially sensitive status information via a direct request. |
|
32 |
CVE-2011-0315 |
79 |
|
XSS |
2011-01-11 |
2011-03-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to the lack of an error page for an application. |
|
33 |
CVE-2010-4220 |
79 |
|
XSS |
2010-11-09 |
2010-11-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Integrated Solution Console in the Administrative Console component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection." |
|
34 |
CVE-2010-3700 |
264 |
|
Bypass |
2010-10-29 |
2010-11-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter. |
|
35 |
CVE-2010-3271 |
352 |
1
|
CSRF |
2011-07-18 |
2011-09-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console (aka administrative console) in IBM WebSphere Application Server (WAS) 7.0.0.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that disable certain security options via an Edit action to console/adminSecurityDetail.do followed by a save action to console/syncworkspace.do. |
|
36 |
CVE-2010-3186 |
20 |
|
|
2010-08-30 |
2010-09-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, when a JAX-WS application is used, does not properly handle an IncludeTimestamp setting in the WS-Security policy, which has unspecified impact and remote attack vectors. |
|
37 |
CVE-2010-2328 |
|
|
DoS |
2010-06-18 |
2010-06-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The HTTP Channel in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (NullPointerException) via a large amount of chunked data that uses gzip compression. |
|
38 |
CVE-2010-2327 |
20 |
|
DoS |
2010-06-18 |
2010-06-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11, as used in IBM WebSphere Application Server (WAS) on z/OS, does not properly handle a large HTTP request body in uploading over SSL, which might allow remote attackers to cause a denial of service (daemon fail) via an upload. |
|
39 |
CVE-2010-2326 |
200 |
|
+Info |
2010-06-18 |
2010-06-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11, when addNode -trace is used during node federation, allows attackers to obtain sensitive information about CIMMetadataCollectorImpl trace actions by reading the addNode.log file. |
|
40 |
CVE-2010-2325 |
79 |
|
XSS |
2010-06-18 |
2010-06-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection." |
|
41 |
CVE-2010-2324 |
|
|
|
2010-06-18 |
2010-06-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows attackers to perform unspecified "link injection" actions via unknown vectors. |
|
42 |
CVE-2010-2323 |
200 |
|
+Info |
2010-06-18 |
2010-06-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS might allow attackers to obtain sensitive information by reading the default_create.log file that is associated with profile creation by the BBOWWPFx job and the zPMT. |
|
43 |
CVE-2010-1651 |
310 |
|
+Info |
2010-05-03 |
2010-06-22 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.31 and 7.0.x before 7.0.0.11, when Basic authentication and SIP tracing (aka full trace logging for SIP) are enabled, logs the entirety of all inbound and outbound SIP messages, which allows local users to obtain sensitive information by reading the trace log. |
|
44 |
CVE-2010-1650 |
310 |
|
+Info |
2010-05-03 |
2010-05-20 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.41, 6.1.x before 6.1.0.31, and 7.0.x before 7.0.0.11, when the -trace option (aka debugging mode) is enabled, executes debugging statements that print string representations of unspecified objects, which allows attackers to obtain sensitive information by reading the trace output. |
|
45 |
CVE-2010-1182 |
|
|
|
2010-03-29 |
2010-03-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple unspecified vulnerabilities in the administrative console in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.9 on z/OS have unknown impact and attack vectors. |
|
46 |
CVE-2010-0786 |
20 |
|
DoS |
2010-11-09 |
2010-11-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Web Services Security component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 does not properly implement the Java API for XML Web Services (aka JAX-WS), which allows remote attackers to cause a denial of service (data corruption) via a crafted JAX-WS request that leads to incorrectly encoded data. |
|
47 |
CVE-2010-0785 |
352 |
|
CSRF |
2010-11-09 |
2010-11-10 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
48 |
CVE-2010-0784 |
79 |
|
XSS |
2010-11-09 |
2010-11-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
49 |
CVE-2010-0783 |
79 |
|
XSS |
2010-11-09 |
2010-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
50 |
CVE-2010-0781 |
|
|
DoS |
2010-09-21 |
2010-11-11 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
Unspecified vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted URL. |
