| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2012-0193 |
20 |
|
DoS |
2012-01-19 |
2012-01-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM WebSphere Application Server (WAS) 6.0 through 6.0.2.43, 6.1 before 6.1.0.43, 7.0 before 7.0.0.23, and 8.0 before 8.0.0.3 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. |
|
2 |
CVE-2011-1683 |
264 |
|
|
2011-04-13 |
2011-04-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server (WAS) 6.0.x through 6.0.2.43, 6.1.x before 6.1.0.37, and 7.0.x before 7.0.0.17 on z/OS, when a Local OS user registry or Federated Repository with RACF adapter is used, allows remote attackers to obtain unspecified application access via unknown vectors. |
|
3 |
CVE-2010-2327 |
20 |
|
DoS |
2010-06-18 |
2010-06-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11, as used in IBM WebSphere Application Server (WAS) on z/OS, does not properly handle a large HTTP request body in uploading over SSL, which might allow remote attackers to cause a denial of service (daemon fail) via an upload. |
|
4 |
CVE-2010-1650 |
310 |
|
+Info |
2010-05-03 |
2010-05-20 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.41, 6.1.x before 6.1.0.31, and 7.0.x before 7.0.0.11, when the -trace option (aka debugging mode) is enabled, executes debugging statements that print string representations of unspecified objects, which allows attackers to obtain sensitive information by reading the trace output. |
|
5 |
CVE-2010-0779 |
79 |
|
XSS |
2010-06-24 |
2010-06-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
6 |
CVE-2010-0777 |
20 |
|
+Info |
2010-05-17 |
2010-05-26 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle long filenames and consequently sends an incorrect file in some responses, which allows remote attackers to obtain sensitive information by reading the retrieved file. |
|
7 |
CVE-2010-0776 |
20 |
|
DoS |
2010-05-17 |
2010-05-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle chunked transfer encoding during a call to response.sendRedirect, which allows remote attackers to cause a denial of service via a GET request. |
|
8 |
CVE-2010-0775 |
399 |
|
DoS |
2010-05-17 |
2010-05-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (memory consumption and daemon crash) via a crafted request, related to the nodeagent and Deployment Manager components. |
|
9 |
CVE-2010-0774 |
264 |
|
Bypass |
2010-05-17 |
2010-05-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The (1) JAX-RPC WS-Security 1.0 and (2) JAX-WS runtime implementations in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 do not properly handle WebServices PKCS#7 and PKIPath tokens, which allows remote attackers to bypass intended access restrictions via unspecified vectors. |
|
10 |
CVE-2010-0770 |
399 |
|
DoS |
2010-04-01 |
2010-04-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 allows remote authenticated users to cause a denial of service (ORB ListenerThread hang) by aborting an SSL handshake. |
|
11 |
CVE-2010-0769 |
255 |
|
|
2010-04-01 |
2010-04-02 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 does not properly define wsadmin scripting J2CConnectionFactory objects, which allows local users to discover a KeyRingPassword password by reading a cleartext field in the resources.xml file. |
|
12 |
CVE-2010-0768 |
79 |
|
XSS |
2010-04-01 |
2010-04-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 allows remote attackers to inject arbitrary web script or HTML via the URI. |
|
13 |
CVE-2009-3106 |
264 |
|
Bypass +Info |
2009-09-08 |
2009-09-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.37 does not properly implement security constraints on the (1) doGet and (2) doTrace methods, which allows remote attackers to bypass intended access restrictions and obtain sensitive information via a crafted HTTP HEAD request to a Web Application. |
|
14 |
CVE-2009-2746 |
352 |
|
CSRF |
2009-11-16 |
2009-11-20 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
|
15 |
CVE-2009-1901 |
|
|
|
2009-06-03 |
2009-06-24 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 permits "non-standard http methods," which has unknown impact and remote attack vectors. |
|
16 |
CVE-2009-1900 |
200 |
|
+Info |
2009-06-03 |
2009-08-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Configservice APIs in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5, when tracing is enabled, allow remote attackers to obtain sensitive information via unspecified use of the wsadmin scripting tool. |
|
17 |
CVE-2009-1899 |
|
|
+Info |
2009-06-03 |
2009-08-15 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in the Administrative Configservice API in the System Management/Repository component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5 on z/OS allows remote authenticated users to obtain sensitive information via unknown use of the wsadmin scripting tool, related to a "security exposure in wsadmin." |
|
18 |
CVE-2009-1898 |
200 |
|
+Info |
2009-06-03 |
2009-06-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The secure login page in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 does not redirect to an https page upon receiving an http request, which makes it easier for remote attackers to read the contents of WAS sessions by sniffing the network. |
|
19 |
CVE-2009-0891 |
287 |
|
|
2009-03-24 |
2009-03-26 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks. |
|
20 |
CVE-2009-0508 |
200 |
|
+Info |
2009-03-16 |
2009-06-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-based applications and (b) the administrative console. |
|
21 |
CVE-2009-0217 |
|
|
Bypass |
2009-07-14 |
2012-10-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. |
