| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2012-4853 |
352 |
|
CSRF |
2012-11-14 |
2013-02-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Application Server 6.1 before 6.1.0.45, 7.0 before 7.0.0.25, 8.0 before 8.0.0.5, and 8.5 before 8.5.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger information disclosure. |
|
2 |
CVE-2012-3325 |
20 |
|
|
2012-08-30 |
2013-03-01 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.45, 7.0.x before 7.0.0.25, 8.0.x before 8.0.0.5, and 8.5.x Full Profile before 8.5.0.1, when the PM44303 fix is installed, does not properly validate credentials, which allows remote authenticated users to obtain administrative access via unspecified vectors. |
|
3 |
CVE-2012-3305 |
22 |
|
Dir. Trav. |
2012-09-25 |
2013-01-28 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Directory traversal vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.25, 8.0 before 8.0.0.5, and 8.5 before 8.5.0.1 allows remote attackers to overwrite arbitrary files via a crafted application file. |
|
4 |
CVE-2012-2162 |
310 |
|
+Info |
2012-05-01 |
2012-05-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HTTP communication after expiration of the plugin-key.kdb password, which allows remote attackers to obtain sensitive information by sniffing the network, or spoof arbitrary servers via a man-in-the-middle attack. |
|
5 |
CVE-2011-5066 |
200 |
|
+Info |
2012-01-14 |
2012-02-08 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 does not properly handle a Service Integration Bus (SIB) dump operation involving the First Failure Data Capture (FFDC) introspection code, which allows local users to obtain sensitive information by reading the FFDC log file. |
|
6 |
CVE-2011-5065 |
79 |
|
XSS |
2012-01-14 |
2012-02-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 allows remote attackers to inject arbitrary web script or HTML via vectors related to web messaging. |
|
7 |
CVE-2011-1377 |
|
|
|
2012-01-14 |
2012-01-17 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Web Services Security component in the Web Services Feature Pack before 6.1.0.41 for IBM WebSphere Application Server (WAS) 6.1 does not properly handle the enabling of WS-Security for a JAX-WS application, which has unspecified impact and attack vectors. |
|
8 |
CVE-2011-1376 |
264 |
|
|
2012-01-19 |
2012-01-19 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
iscdeploy in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.43, 7.0 before 7.0.0.21, and 8.0 before 8.0.0.2 on the IBM i platform sets weak permissions under systemapps/isclite.ear/ and bin/client_ffdc/, which allows local users to read or modify files via standard filesystem operations. |
|
9 |
CVE-2011-1362 |
79 |
|
XSS |
2012-01-14 |
2012-02-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in the Install component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 and 7.0 before 7.0.0.19 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1308. |
|
10 |
CVE-2011-1359 |
22 |
|
Dir. Trav. |
2011-09-06 |
2011-09-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the administration console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41, 7.0 before 7.0.0.19, and 8.0 before 8.0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. |
|
11 |
CVE-2011-1356 |
200 |
|
+Info |
2011-07-19 |
2011-07-25 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows local users to obtain sensitive stack-trace information via a crafted Administration Console request. |
|
12 |
CVE-2011-1355 |
20 |
|
|
2011-07-19 |
2011-07-25 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Open redirect vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.19 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the logoutExitPage parameter. |
|
13 |
CVE-2011-1318 |
399 |
|
DoS |
2011-03-08 |
2011-03-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in org.apache.jasper.runtime.JspWriterImpl.response in the JavaServer Pages (JSP) component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) by accessing a JSP page of an application that is repeatedly stopped and restarted. |
|
14 |
CVE-2011-1316 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Session Initiation Protocol (SIP) Proxy in the HTTP Transport component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (worker thread exhaustion and UDP messaging outage) by sending many UDP messages. |
|
15 |
CVE-2011-1315 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in the messaging engine in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) via network connections associated with a NULL return value from a synchronous JMS receive call. |
|
16 |
CVE-2011-1314 |
399 |
|
DoS |
2011-03-08 |
2011-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Service Integration Bus (SIB) messaging engine in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (daemon hang) by performing close operations via network connections to a queue manager. |
|
17 |
CVE-2011-1311 |
264 |
|
+Priv |
2011-03-08 |
2011-04-07 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
The Security component in IBM WebSphere Application Server (WAS) before 7.0.0.15, when a J2EE 1.4 application is used, determines the security role mapping on the basis of the ibm-application-bnd.xml file instead of the intended ibm-application-bnd.xmi file, which might allow remote authenticated users to gain privileges in opportunistic circumstances by requesting a service. |
|
18 |
CVE-2011-1309 |
20 |
|
|
2011-03-08 |
2011-04-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Plug-in component in IBM WebSphere Application Server (WAS) before 7.0.0.15 does not properly handle trace requests, which has unspecified impact and attack vectors. |
|
19 |
CVE-2011-1308 |
79 |
|
XSS |
2011-03-08 |
2011-03-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in the Install component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
20 |
CVE-2011-1307 |
264 |
|
|
2011-03-08 |
2011-04-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The installer in IBM WebSphere Application Server (WAS) before 7.0.0.15 uses 777 permissions for a temporary log directory, which allows local users to have unintended access to log files via standard filesystem operations, a different vulnerability than CVE-2009-1173. |
|
21 |
CVE-2011-0316 |
264 |
|
+Info |
2011-01-11 |
2011-03-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 does not properly restrict access to console servlets, which allows remote attackers to obtain potentially sensitive status information via a direct request. |
|
22 |
CVE-2011-0315 |
79 |
|
XSS |
2011-01-11 |
2011-03-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to the lack of an error page for an application. |
|
23 |
CVE-2010-3700 |
264 |
|
Bypass |
2010-10-29 |
2010-11-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter. |
|
24 |
CVE-2010-3271 |
352 |
1
|
CSRF |
2011-07-18 |
2011-09-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Integrated Solutions Console (aka administrative console) in IBM WebSphere Application Server (WAS) 7.0.0.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that disable certain security options via an Edit action to console/adminSecurityDetail.do followed by a save action to console/syncworkspace.do. |
|
25 |
CVE-2010-2327 |
20 |
|
DoS |
2010-06-18 |
2010-06-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11, as used in IBM WebSphere Application Server (WAS) on z/OS, does not properly handle a large HTTP request body in uploading over SSL, which might allow remote attackers to cause a denial of service (daemon fail) via an upload. |
|
26 |
CVE-2010-1651 |
310 |
|
+Info |
2010-05-03 |
2010-06-22 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.31 and 7.0.x before 7.0.0.11, when Basic authentication and SIP tracing (aka full trace logging for SIP) are enabled, logs the entirety of all inbound and outbound SIP messages, which allows local users to obtain sensitive information by reading the trace log. |
|
27 |
CVE-2010-1650 |
310 |
|
+Info |
2010-05-03 |
2010-05-20 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.41, 6.1.x before 6.1.0.31, and 7.0.x before 7.0.0.11, when the -trace option (aka debugging mode) is enabled, executes debugging statements that print string representations of unspecified objects, which allows attackers to obtain sensitive information by reading the trace output. |
|
28 |
CVE-2010-0785 |
352 |
|
CSRF |
2010-11-09 |
2010-11-10 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
29 |
CVE-2010-0783 |
79 |
|
XSS |
2010-11-09 |
2010-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
30 |
CVE-2010-0779 |
79 |
|
XSS |
2010-06-24 |
2010-06-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
31 |
CVE-2010-0778 |
79 |
|
XSS |
2010-06-24 |
2010-06-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
32 |
CVE-2010-0777 |
20 |
|
+Info |
2010-05-17 |
2010-05-26 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle long filenames and consequently sends an incorrect file in some responses, which allows remote attackers to obtain sensitive information by reading the retrieved file. |
|
33 |
CVE-2010-0776 |
20 |
|
DoS |
2010-05-17 |
2010-05-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle chunked transfer encoding during a call to response.sendRedirect, which allows remote attackers to cause a denial of service via a GET request. |
|
34 |
CVE-2010-0775 |
399 |
|
DoS |
2010-05-17 |
2010-05-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (memory consumption and daemon crash) via a crafted request, related to the nodeagent and Deployment Manager components. |
|
35 |
CVE-2010-0774 |
264 |
|
Bypass |
2010-05-17 |
2010-05-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The (1) JAX-RPC WS-Security 1.0 and (2) JAX-WS runtime implementations in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 do not properly handle WebServices PKCS#7 and PKIPath tokens, which allows remote attackers to bypass intended access restrictions via unspecified vectors. |
|
36 |
CVE-2009-2746 |
352 |
|
CSRF |
2009-11-16 |
2009-11-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
|
37 |
CVE-2009-2744 |
|
|
DoS |
2009-09-21 |
2010-03-06 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remote attackers to cause a denial of service via unknown vectors, related to "an error in fixpacks 6.1.0.23 and 6.1.0.25." |
|
38 |
CVE-2009-2743 |
|
|
+Info |
2009-09-21 |
2010-12-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27, and 7.0 before 7.0.0.7, does not properly handle an exception occurring after use of wsadmin scripts and configuration of JAAS-J2C Authentication Data, which allows local users to obtain sensitive information by reading the First Failure Data Capture (FFDC) log file. |
|
39 |
CVE-2009-2742 |
79 |
|
XSS |
2009-09-21 |
2010-03-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Eclipse Help in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remote attackers to inject arbitrary web script or HTML via unspecified input. |
|
40 |
CVE-2009-2089 |
16 |
|
+Info |
2009-08-13 |
2009-09-02 |
2.1 |
None |
Remote |
High |
Single system |
Partial |
None |
None |
|
The Migration component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when tracing is enabled and a 6.1 to 7.0 migration has occurred, allows remote authenticated users to obtain sensitive information by reading a Migration Trace file. |
|
41 |
CVE-2009-2088 |
287 |
|
Bypass |
2009-08-13 |
2009-08-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a "secure URL," related to a certain invokefilterscompatibility property. |
|
42 |
CVE-2009-2087 |
255 |
|
DoS |
2009-08-13 |
2009-08-14 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The Web Services functionality in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, in certain circumstances involving the ibm-webservicesclient-bind.xmi file and custom password encryption, uses weak password obfuscation, which allows local users to cause a denial of service (deployment failure) via unspecified vectors. |
|
43 |
CVE-2009-2085 |
287 |
|
Bypass |
2009-08-13 |
2009-08-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB). |
|
44 |
CVE-2009-1172 |
20 |
|
|
2009-03-31 |
2009-06-17 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3, when APAR PK41002 is installed, does not properly validate UsernameToken objects, which has unknown impact and attack vectors. |
|
45 |
CVE-2009-0904 |
264 |
|
Bypass |
2009-07-05 |
2009-07-22 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The IBM Stax XMLStreamWriter in the Web Services component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 does not properly process XML encoding, which allows remote attackers to bypass intended access restrictions and possibly modify data via "XML fuzzing attacks" sent through SOAP requests. |
|
46 |
CVE-2009-0903 |
|
|
Bypass |
2009-06-24 |
2009-07-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for WAS 6.1 before 6.1.0.25, when a WS-Security policy is established at the operation level, does not properly handle inbound requests that lack a SOAPAction or WS-Addressing Action, which allows remote attackers to bypass intended access restrictions via a crafted request to a JAX-WS application. |
|
47 |
CVE-2009-0892 |
287 |
|
|
2009-03-31 |
2009-04-16 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3 allows attackers to hijack user sessions in "specific scenarios" related to a forced logout. |
|
48 |
CVE-2009-0891 |
287 |
|
|
2009-03-24 |
2009-03-26 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks. |
|
49 |
CVE-2009-0856 |
79 |
|
XSS |
2009-03-09 |
2009-06-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in sample applications in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, and 6.1 before 6.1.0.23 on z/OS, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
50 |
CVE-2009-0855 |
79 |
|
XSS |
2009-03-09 |
2009-04-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
