CVE-2011-1321 — Prototype Pollution in IBM Websphere Application Server

CWE-264 CWE-1321 — Prototype Pollution CWE-94 — Code Injection4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 44.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spree IBM Websphere Application Server

Timeline

PublishedMar 8

Latest updateAug 13

Description

The AuthCache purge implementation in the Security component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x before 7.0.0.15 does not purge a user from the PlatformCredential cache, which might allow remote authenticated users to gain privileges by leveraging a group membership specified in an old RACF Object (aka RACO).

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages2 packages

▶NVDibm/websphere_application_server33 versions+32

▶RubyGemsspree/spree< 0.60.2

🔴Vulnerability Details

GHSA

Spree has Remote Command Execution vulnerability in search functionality↗2025-08-13

▶

GHSA

GHSA-ppgj-6hgj-9892: The AuthCache purge implementation in the Security component in IBM WebSphere Application Server (WAS) 6↗2022-05-17

▶

CVEList

CVE-2011-1321: The AuthCache purge implementation in the Security component in IBM WebSphere Application Server (WAS) 6↗2011-03-08

▶