CVE-2008-4679Improper Authentication in IBM Websphere Application Server

CWE-287Improper AuthenticationCWE-299Improper Check for Certificate Revocation4 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.3%
top 46.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM Websphere Application Server
Timeline
PublishedOct 22
Latest updateMay 17

Description

The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 and 6.1 before 6.1.0.19, when Certificate Store Collections is configured to use Certificate Revocation Lists (CRL), does not call the setRevocationEnabled method on the PKIXBuilderParameters object, which prevents the "Java security method" from checking the revocation status of X.509 certificates and allows remote attackers to bypass intended access restrictions via a SOAP message with a revoked

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

Patches

Patch: www-01.ibm.comPatch: www-01.ibm.comPatch: www-1.ibm.com

🔴Vulnerability Details

2
GHSA
GHSA-pcg9-cjxc-8j7x: The Web Services Security component in IBM WebSphere Application Server (WAS) 62022-05-17
CVEList
CVE-2008-4679: The Web Services Security component in IBM WebSphere Application Server (WAS) 62008-10-22

📐Framework References

1
CWE
Improper Check for Certificate Revocation
CVE-2008-4679 — Improper Authentication in IBM | cvebase