Ibm: >> Websphere Application Server >> 7.0 Security Vulnerabilities
IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.24 and 7.0 through 7.0.0.4, IBM WebSphere Portal Server 5.1 through 6.0, and IBM Integrated Solutions Console (ISC) 6.0.1 do not properly set the IsSecurityEnabled security flag during migration of WebSphere Member Manager (WMM) to Virtual Member Manager (VMM) and a Federated Repository, which allows attackers to obtain sensitive information from repositories via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.003
Published
2009-06-03
The administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3 allows attackers to hijack user sessions in "specific scenarios" related to a forced logout.
CVSS Score
5.5
EPSS Score
0.004
Published
2009-03-31
The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3, when APAR PK41002 is installed, does not properly validate UsernameToken objects, which has unknown impact and attack vectors.
CVSS Score
10.0
EPSS Score
0.013
Published
2009-03-31
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 uses weak permissions (777) for files associated with unspecified "interim fixes," which allows attackers to modify files that would not have been accessible if the intended 755 permissions were used.
CVSS Score
2.1
EPSS Score
0.001
Published
2009-03-31
The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 and 7.0 before 7.0.0.3 has an unspecified "security problem" in the XML digital-signature specification, which has unknown impact and attack vectors.
CVSS Score
10.0
EPSS Score
0.012
Published
2009-03-31
The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks.
CVSS Score
5.5
EPSS Score
0.004
Published
2009-03-25
The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-based applications and (b) the administrative console.
CVSS Score
7.5
EPSS Score
0.017
Published
2009-03-16
WSPolicy in the Web Services component in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.1 does not properly recognize the IDAssertion.isUsed binding property, which allows local users to discover a password by reading a SOAP message.
CVSS Score
2.1
EPSS Score
0.001
Published
2009-02-17
PerfServlet in the PMI/Performance Tools component in IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.31, 6.1.x before 6.1.0.21, and 7.0.x before 7.0.0.1, when Performance Monitoring Infrastructure (PMI) is enabled, allows local users to obtain sensitive information by reading the (1) systemout.log and (2) ffdc files. NOTE: this is probably a duplicate of CVE-2008-5413.
CVSS Score
1.9
EPSS Score
0.001
Published
2009-02-10
IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 on Windows allows remote attackers to bypass "Authorization checking" and obtain sensitive information from JSP pages via a crafted request. NOTE: this is probably a duplicate of CVE-2008-5412.
CVSS Score
5.0
EPSS Score
0.002
Published
2009-02-10