CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

IBM » Websphere Application Server : Security Vulnerabilities (CVSS score between 7 and 7.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-0964 399 DoS 2014-05-16 2014-06-21
7.1
None Remote Medium Not required None None Complete
IBM WebSphere Application Server (WAS) 6.1.0.0 through 6.1.0.47 and 6.0.2.0 through 6.0.2.43 allows remote attackers to cause a denial of service via crafted TLS traffic, as demonstrated by traffic from a CVE-2014-0160 vulnerability-assessment tool.
2 CVE-2012-4850 20 +Priv 2012-11-14 2013-02-25
7.5
None Remote Low Not required Partial Partial Partial
IBM WebSphere Application Server 8.5 Liberty Profile before 8.5.0.1, when JAX-RS is used, does not properly validate requests, which allows remote attackers to gain privileges via unspecified vectors.
3 CVE-2011-1309 20 2011-03-08 2011-04-07
7.5
None Remote Low Not required Partial Partial Partial
The Plug-in component in IBM WebSphere Application Server (WAS) before 7.0.0.15 does not properly handle trace requests, which has unspecified impact and attack vectors.
4 CVE-2010-2324 2010-06-18 2010-06-24
7.5
None Remote Low Not required Partial Partial Partial
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows attackers to perform unspecified "link injection" actions via unknown vectors.
5 CVE-2010-1182 2010-03-29 2010-03-30
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in the administrative console in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.9 on z/OS have unknown impact and attack vectors.
6 CVE-2009-2744 DoS 2009-09-21 2010-03-06
7.8
None Remote Low Not required None None Complete
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remote attackers to cause a denial of service via unknown vectors, related to "an error in fixpacks 6.1.0.23 and 6.1.0.25."
7 CVE-2009-2092 Bypass 2009-08-13 2009-09-02
7.5
None Remote Low Not required Partial Partial Partial
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 does not properly read the portletServingEnabled parameter in ibm-portlet-ext.xmi, which allows remote attackers to bypass intended access restrictions via unknown vectors.
8 CVE-2009-2088 287 Bypass 2009-08-13 2009-08-14
7.5
None Remote Low Not required Partial Partial Partial
The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a "secure URL," related to a certain invokefilterscompatibility property.
9 CVE-2009-2085 287 Bypass 2009-08-13 2009-08-14
7.5
None Remote Low Not required Partial Partial Partial
The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB).
10 CVE-2009-0903 Bypass 2009-06-24 2009-07-11
7.5
None Remote Low Not required Partial Partial Partial
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for WAS 6.1 before 6.1.0.25, when a WS-Security policy is established at the operation level, does not properly handle inbound requests that lack a SOAPAction or WS-Addressing Action, which allows remote attackers to bypass intended access restrictions via a crafted request to a JAX-WS application.
11 CVE-2009-0508 200 +Info 2009-03-16 2009-06-05
7.5
None Remote Low Not required Partial Partial Partial
The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-based applications and (b) the administrative console.
12 CVE-2009-0436 264 2009-02-10 2009-06-17
7.2
Admin Local Low Not required Complete Complete Complete
The (1) mod_ibm_ssl and (2) mod_cgid modules in IBM HTTP Server 6.0.x before 6.0.2.31 and 6.1.x before 6.1.0.19, as used in WebSphere Application Server (WAS), set incorrect permissions for AF_UNIX sockets, which has unknown impact and local attack vectors.
13 CVE-2009-0391 200 +Info 2009-02-02 2009-02-26
7.8
None Remote Low Not required Complete None None
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0.1 on z/OS allows attackers to read arbitrary files via unknown vectors.
14 CVE-2008-4678 399 DoS 2008-10-22 2008-10-22
7.8
None Remote Low Not required None None Complete
The HTTP_Request_Parser method in the HTTP Transport component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 allows remote attackers to cause a denial of service (controller 0C4 abend and application hang) via a long HTTP Host header, related to "storage overlay" on the stack and a "parse failure."
15 CVE-2007-4839 2007-09-12 2012-10-30
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the PD tools component in IBM WebSphere Application Server (WAS) 6.1 before Fix Pack 11 (6.1.0.11) has unknown impact and attack vectors, aka PK33803.
16 CVE-2007-3262 DoS 2007-06-19 2008-11-15
7.8
None Remote Low Not required None None Complete
Unspecified vulnerability in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1.0.7 and earlier allows remote attackers to cause a denial of service related to a thread hang, and possibly related to a "TCP issue," or to MPAlarmThread and a resultant memory leak.
17 CVE-2007-1945 2007-04-10 2009-06-17
7.5
User Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Servlet Engine/Web Container in IBM WebSphere Application Server (WAS) before 6.1.0.7 has unknown impact and attack vectors.
18 CVE-2007-1608 Http R.Spl. 2007-03-22 2008-11-15
7.5
User Remote Low Not required Partial Partial Partial
CRLF injection vulnerability in IBM WebSphere Application Server (WAS) before 6.0.2.19 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a single CRLF sequence in a context that is not a valid multi-line header.
19 CVE-2006-5324 2006-10-17 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
The Web Services Notification (WSN) security component of IBM WebSphere Application Server before 6.1.0.2 allows attackers to obtain unspecified access without supplying a username and password, aka PK28374.
20 CVE-2006-4136 264 2006-08-14 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in IBM WebSphere Application Server before 6.1.0.1 have unspecified impact and attack vectors involving (1) "SOAP requests and responses", (2) mbean, (3) ThreadIdentitySupport, and possibly others.
21 CVE-2006-2436 +Priv 2006-05-17 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
WebSphere Application Server 5.0.2 (or any earlier cumulative fix) stores admin and LDAP passwords in plaintext in the FFDC logs when a login to WebSphere fails, which allows attackers to gain privileges.
22 CVE-2006-2432 2006-05-17 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
IBM WebSphere Application Server 5.0.2 (or any earlier cumulative fix) and 5.1.1 (or any earlier cumulative fix) allows EJB access on Solaris systems via a crafted LTPA token.
23 CVE-2006-2342 Bypass 2006-05-12 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
IBM WebSphere Application Server 6.0.2 before FixPack 3 allows remote attackers to bypass authentication for the Welcome Page via a request to the default context root.
24 CVE-2005-3760 119 DoS Overflow 2005-11-22 2008-09-05
7.8
None Remote Low Not required None None Complete
Double free vulnerability in the BBOORB module in IBM WebSphere Application Server for z/OS 5.0 allows attackers to cause a denial of service (ABEND).
25 CVE-2005-1872 Exec Code Overflow 2005-06-03 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
Buffer overflow in the administrative console in IBM WebSphere Application Server 5.x, when the global security option is enabled, allows remote attackers to execute arbitrary code.
26 CVE-2001-0962 +Priv 2001-09-19 2008-09-05
7.5
None Remote Low Not required Partial Partial Partial
IBM WebSphere Application Server 3.02 through 3.53 uses predictable session IDs for cookies, which allows remote attackers to gain privileges of WebSphere users via brute force guessing.
27 CVE-2001-0824 XSS 2001-12-06 2008-09-10
7.5
None Remote Low Not required Partial Partial Partial
Cross-site scripting vulnerability in IBM WebSphere 3.02 and 3.5 FP2 allows remote attackers to execute Javascript by inserting the Javascript into (1) a request for a .JSP file, or (2) a request to the webapp/examples/ directory, which inserts the Javascript into an error page.
28 CVE-1999-0852 1999-12-02 2008-09-09
7.2
Admin Local Low Not required Complete Complete Complete
IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin.
Total number of vulnerabilities : 28   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.