| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-0544 |
22 |
|
Dir. Trav. |
2013-04-24 |
2013-04-24 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
Directory traversal vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.29, 8.0 before 8.0.0.6, and 8.5 before 8.5.0.2 on Linux and UNIX allows remote authenticated users to modify data via unspecified vectors. |
|
2 |
CVE-2012-3330 |
|
|
DoS |
2012-11-14 |
2012-11-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The proxy server in IBM WebSphere Application Server 7.0 before 7.0.0.27, 8.0 before 8.0.0.5, and 8.5 before 8.5.0.1, and WebSphere Virtual Enterprise, allows remote attackers to cause a denial of service (daemon outage) via a crafted request. |
|
3 |
CVE-2012-2190 |
310 |
|
DoS |
2012-08-21 |
2012-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM Global Security Kit (aka GSKit), as used in IBM HTTP Server in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.45, 7.0.x before 7.0.0.25, 8.0.x before 8.0.0.4, and 8.5.x before 8.5.0.1, allows remote attackers to cause a denial of service (daemon crash) via a crafted ClientHello message in the TLS Handshake Protocol. |
|
4 |
CVE-2012-0193 |
20 |
|
DoS |
2012-01-19 |
2012-01-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM WebSphere Application Server (WAS) 6.0 through 6.0.2.43, 6.1 before 6.1.0.43, 7.0 before 7.0.0.23, and 8.0 before 8.0.0.3 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. |
|
5 |
CVE-2011-1368 |
200 |
|
+Info |
2011-10-29 |
2012-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The JavaServer Faces (JSF) application functionality in IBM WebSphere Application Server 8.x before 8.0.0.1 does not properly handle requests, which allows remote attackers to read unspecified files via unknown vectors. |
|
6 |
CVE-2011-1359 |
22 |
|
Dir. Trav. |
2011-09-06 |
2011-09-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the administration console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41, 7.0 before 7.0.0.19, and 8.0 before 8.0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. |
|
7 |
CVE-2011-1355 |
20 |
|
|
2011-07-19 |
2011-07-25 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Open redirect vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the logoutExitPage parameter. |
|
8 |
CVE-2011-1322 |
399 |
|
DoS |
2011-03-08 |
2011-03-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The SOAP with Attachments API for Java (SAAJ) implementation in the Web Services component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) via encrypted SOAP messages. |
|
9 |
CVE-2011-1318 |
399 |
|
DoS |
2011-03-08 |
2011-03-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in org.apache.jasper.runtime.JspWriterImpl.response in the JavaServer Pages (JSP) component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) by accessing a JSP page of an application that is repeatedly stopped and restarted. |
|
10 |
CVE-2011-1317 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in com.ibm.ws.jsp.runtime.WASJSPStrBufferImpl in the JavaServer Pages (JSP) component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) by sending many JSP requests that trigger large responses. |
|
11 |
CVE-2011-1316 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Session Initiation Protocol (SIP) Proxy in the HTTP Transport component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (worker thread exhaustion and UDP messaging outage) by sending many UDP messages. |
|
12 |
CVE-2011-1315 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in the messaging engine in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) via network connections associated with a NULL return value from a synchronous JMS receive call. |
|
13 |
CVE-2011-1314 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Service Integration Bus (SIB) messaging engine in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (daemon hang) by performing close operations via network connections to a queue manager. |
|
14 |
CVE-2011-1313 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Double free vulnerability in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x before 7.0.0.15 allows remote backend IIOP servers to cause a denial of service (S0C4 ABEND and storage corruption) by rejecting IIOP requests at opportunistic time instants, as demonstrated by requests associated with an ORB_Request::getACRWorkElementPtr function call. |
|
15 |
CVE-2011-0316 |
264 |
|
+Info |
2011-01-11 |
2011-03-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 does not properly restrict access to console servlets, which allows remote attackers to obtain potentially sensitive status information via a direct request. |
|
16 |
CVE-2010-3700 |
264 |
|
Bypass |
2010-10-29 |
2010-11-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter. |
|
17 |
CVE-2010-2328 |
|
|
DoS |
2010-06-18 |
2010-06-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The HTTP Channel in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (NullPointerException) via a large amount of chunked data that uses gzip compression. |
|
18 |
CVE-2010-2323 |
200 |
|
+Info |
2010-06-18 |
2010-06-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS might allow attackers to obtain sensitive information by reading the default_create.log file that is associated with profile creation by the BBOWWPFx job and the zPMT. |
|
19 |
CVE-2010-0786 |
20 |
|
DoS |
2010-11-09 |
2010-11-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Web Services Security component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 does not properly implement the Java API for XML Web Services (aka JAX-WS), which allows remote attackers to cause a denial of service (data corruption) via a crafted JAX-WS request that leads to incorrectly encoded data. |
|
20 |
CVE-2010-0776 |
20 |
|
DoS |
2010-05-17 |
2010-05-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle chunked transfer encoding during a call to response.sendRedirect, which allows remote attackers to cause a denial of service via a GET request. |
|
21 |
CVE-2010-0775 |
399 |
|
DoS |
2010-05-17 |
2010-05-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (memory consumption and daemon crash) via a crafted request, related to the nodeagent and Deployment Manager components. |
|
22 |
CVE-2010-0563 |
200 |
|
+Info |
2010-02-08 |
2010-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0.0.8 does not recognize the Requires SSL configuration option, which might allow remote attackers to obtain sensitive information by sniffing network sessions that were expected to be encrypted. |
|
23 |
CVE-2009-3106 |
264 |
|
Bypass +Info |
2009-09-08 |
2009-09-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.37 does not properly implement security constraints on the (1) doGet and (2) doTrace methods, which allows remote attackers to bypass intended access restrictions and obtain sensitive information via a crafted HTTP HEAD request to a Web Application. |
|
24 |
CVE-2009-2747 |
264 |
|
+Info |
2011-10-30 |
2012-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Java Naming and Directory Interface (JNDI) implementation in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 does not properly restrict access to UserRegistry object methods, which allows remote attackers to obtain sensitive information via a crafted method call. |
|
25 |
CVE-2009-2091 |
264 |
|
+Info |
2009-08-13 |
2009-09-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The System Management/Repository component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 on z/OS uses weak file permissions for new applications, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
26 |
CVE-2009-2090 |
|
|
DoS Bypass |
2009-08-13 |
2009-09-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in wsadmin in the System Management/Repository component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 allows remote attackers to bypass intended Java Management Extensions (JMX) Management Beans (aka MBeans) access restrictions, and cause a denial of service (daemon stop), via unknown vectors. |
|
27 |
CVE-2009-1900 |
200 |
|
+Info |
2009-06-03 |
2009-08-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Configservice APIs in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5, when tracing is enabled, allow remote attackers to obtain sensitive information via unspecified use of the wsadmin scripting tool. |
|
28 |
CVE-2009-1898 |
200 |
|
+Info |
2009-06-03 |
2009-06-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The secure login page in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 does not redirect to an https page upon receiving an http request, which makes it easier for remote attackers to read the contents of WAS sessions by sniffing the network. |
|
29 |
CVE-2009-0892 |
287 |
|
|
2009-03-31 |
2009-04-16 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3 allows attackers to hijack user sessions in "specific scenarios" related to a forced logout. |
|
30 |
CVE-2009-0891 |
287 |
|
|
2009-03-24 |
2009-03-26 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks. |
|
31 |
CVE-2009-0438 |
264 |
|
Bypass +Info |
2009-02-10 |
2009-02-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 on Windows allows remote attackers to bypass "Authorization checking" and obtain sensitive information from JSP pages via a crafted request. NOTE: this is probably a duplicate of CVE-2008-5412. |
|
32 |
CVE-2009-0435 |
|
|
DoS |
2009-02-10 |
2009-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in the IBM Asynchronous I/O (aka AIO or libibmaio) library in the Java Message Service (JMS) component in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.17 on AIX 5.3 allows attackers to cause a denial of service (daemon crash) via vectors related to the aio_getioev2 and getEvent methods. |
|
33 |
CVE-2009-0432 |
16 |
|
+Info |
2009-02-10 |
2009-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The installation process for the File Transfer servlet in the System Management/Repository component in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.19 does not enable the secure version, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
34 |
CVE-2009-0217 |
|
|
Bypass |
2009-07-14 |
2012-10-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. |
|
35 |
CVE-2008-5413 |
200 |
|
+Info |
2008-12-09 |
2011-08-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
PerfServlet in the PMI/Performance Tools component in IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 allows attackers to obtain sensitive information by reading the (1) systemout.log and (2) ffdc files. NOTE: this is probably a duplicate of CVE-2009-0434. |
|
36 |
CVE-2008-5411 |
310 |
|
+Info |
2008-12-09 |
2008-12-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 sends SSL traffic over "unsecured TCP," which makes it easier for remote attackers to obtain sensitive information by sniffing the network. |
|
37 |
CVE-2008-4285 |
399 |
|
DoS |
2009-02-17 |
2009-02-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in the Performance Monitoring Infrastructure (PMI) feature in the Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.19, when a component statistic is enabled, allows attackers to cause a denial of service (daemon crash) via vectors related to "a gradual degradation in performance." |
|
38 |
CVE-2008-4284 |
59 |
|
|
2009-02-10 |
2009-02-11 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
Open redirect vulnerability in the ibm_security_logout servlet in IBM WebSphere Application Server (WAS) 5.1.1.19 and earlier 5.x versions, 6.0.x before 6.0.2.33, and 6.1.x before 6.1.0.23 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the logoutExitPage feature. |
|
39 |
CVE-2008-3236 |
310 |
|
+Info |
2008-07-21 |
2008-10-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in Wsadmin in the System Management/Repository component in IBM WebSphere Application Server (WAS) 5.1 before 5.1.1.19 allows attackers to obtain sensitive information via vectors related to "previously encrypted properties" that are not encrypted. |
|
40 |
CVE-2008-2550 |
|
|
|
2008-06-04 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.17 has unknown impact and attack vectors related to an attribute in the SOAP security header. |
|
41 |
CVE-2007-4833 |
|
|
|
2007-09-12 |
2009-06-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the Edge Component in IBM WebSphere Application Server (WAS) 6.1 before Fix Pack 11 (6.1.0.11) has unknown impact and attack vectors, aka PK44789. |
|
42 |
CVE-2007-3397 |
|
|
+Info |
2007-06-26 |
2008-11-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The web container in IBM WebSphere Application Server (WAS) before 6.0.2.21, and 6.1.x before 6.1.0.9, sends response data intended for a different request in certain circumstances after a closed connection error, which might allow remote attackers to obtain sensitive information. |
|
43 |
CVE-2007-1944 |
119 |
|
DoS Overflow |
2007-04-10 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Java Message Service (JMS) in IBM WebSphere Application Server (WAS) before 6.1.0.7 allows attackers to cause a denial of service via unknown vectors involving the "double release [of] a bytebuffer input stream," possibly a double free vulnerability. |
|
44 |
CVE-2006-7166 |
|
|
+Info |
2007-03-20 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 5.1.1.9 and earlier allows remote attackers to obtain JSP source code and other sensitive information via "a specific JSP URL." |
|
45 |
CVE-2006-6637 |
200 |
|
+Info |
2006-12-19 |
2011-06-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Servlet Engine and Web Container in IBM WebSphere Application Server (WAS) before 6.0.2.17, when ibm-web-ext.xmi sets fileServingEnabled to true and servlet caching is enabled, allows remote attackers to obtain JSP source code and other sensitive information via "specific requests." |
|
46 |
CVE-2006-4223 |
|
|
+Info |
2006-08-18 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) before 6.0.2.13 allows context-dependent attackers to obtain sensitive information via unspecified vectors related to "JSP source code exposure" (PK23475), which occurs when ibm-web-ext.xmi sets fileServingEnabled to true or ExtendedDocumentRoot is used to place a JSP outside a WAR.file; (3) the First Failure Data Capture (ffdc) log file (PK24834); and (4) traces (PK25568), a different issue than CVE-2006-4137. |
|
47 |
CVE-2006-4222 |
|
|
|
2006-08-18 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Multiple unspecified vulnerabilities in IBM WebSphere Application Server before 6.0.2.13 have unspecified vectors and impact, including (1) an "authority problem" in ThreadIdentitySupport as identified by PK25199, and "Potential security exposure" issues as identified by (2) PK22747, (3) PK24334, (4) PK25740, and (5) PK26123. |
|
48 |
CVE-2006-4137 |
|
|
+Info |
2006-08-14 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server before 6.1.0.1 allows attackers to obtain sensitive information via unspecified vectors related to (1) the log file, (2) "script generated syntax on wsadmin command line," and (3) traces. |
|
49 |
CVE-2006-2434 |
|
|
+Info |
2006-05-17 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in WebSphere 5.1.1 (or any earlier cumulative fix) Common Configuration Mode + CommonArchive and J2EE Models might allow attackers to obtain sensitive information via the trace. |
|
50 |
CVE-2006-1619 |
|
|
DoS |
2006-04-05 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM WebSphere Application Server 4.0.1 through 4.0.3 allows remote attackers to cause a denial of service (application crash) via an HTTP request with a large header. |
