Ibm Websphere Application Server vulnerabilities

CVE-2011-1317 [MEDIUM] CWE-399 CVE-2011-1317: Memory leak in com.ibm.ws.jsp.runtime.WASJSPStrBufferImpl in the JavaServer Pages (JSP) component in Memory leak in com.ibm.ws.jsp.runtime.WASJSPStrBufferImpl in the JavaServer Pages (JSP) component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) by sending many JSP requests that trigger large responses.

CVE-2011-1319 [MEDIUM] CWE-399 CVE-2011-1319: The Security component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x bef The Security component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x before 7.0.0.15 allows remote authenticated users to cause a denial of service (memory consumption) by using a Lightweight Third-Party Authentication (LTPA) token for authentication.

CVE-2011-1318 [MEDIUM] CWE-399 CVE-2011-1318: Memory leak in org.apache.jasper.runtime.JspWriterImpl.response in the JavaServer Pages (JSP) compon Memory leak in org.apache.jasper.runtime.JspWriterImpl.response in the JavaServer Pages (JSP) component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) by accessing a JSP page of an application that is repeatedly stopped and restarted.

CVE-2011-1321 [MEDIUM] CWE-264 CVE-2011-1321: The AuthCache purge implementation in the Security component in IBM WebSphere Application Server (WA The AuthCache purge implementation in the Security component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x before 7.0.0.15 does not purge a user from the PlatformCredential cache, which might allow remote authenticated users to gain privileges by leveraging a group membership specified in an old RACF Object (aka RACO).

CVE-2011-1315 [MEDIUM] CWE-399 CVE-2011-1315: Memory leak in the messaging engine in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows Memory leak in the messaging engine in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) via network connections associated with a NULL return value from a synchronous JMS receive call.

CVE-2011-1311 [MEDIUM] CWE-264 CVE-2011-1311: The Security component in IBM WebSphere Application Server (WAS) before 7.0.0.15, when a J2EE 1.4 ap The Security component in IBM WebSphere Application Server (WAS) before 7.0.0.15, when a J2EE 1.4 application is used, determines the security role mapping on the basis of the ibm-application-bnd.xml file instead of the intended ibm-application-bnd.xmi file, which might allow remote authenticated users to gain privileges in opportunistic circumstances

CVE-2011-1308 [MEDIUM] CWE-79 CVE-2011-1308: Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in the Install component in IBM WebSphere Application Server (WAS) before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2011-1322 [MEDIUM] CWE-399 CVE-2011-1322: The SOAP with Attachments API for Java (SAAJ) implementation in the Web Services component in IBM We The SOAP with Attachments API for Java (SAAJ) implementation in the Web Services component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.37 and 7.x before 7.0.0.15 allows remote attackers to cause a denial of service (memory consumption) via encrypted SOAP messages.

CVE-2011-1307 [LOW] CVE-2011-1307: The installer in IBM WebSphere Application Server (WAS) before 7.0.0.15 uses 777 permissions for a t The installer in IBM WebSphere Application Server (WAS) before 7.0.0.15 uses 777 permissions for a temporary log directory, which allows local users to have unintended access to log files via standard filesystem operations, a different vulnerability than CVE-2009-1173.

CVE-2011-1310 [LOW] CWE-200 CVE-2011-1310: The Administrative Scripting Tools component in IBM WebSphere Application Server (WAS) 6.1.0.x befor The Administrative Scripting Tools component in IBM WebSphere Application Server (WAS) 6.1.0.x before 6.1.0.35 and 7.x before 7.0.0.15, when tracing is enabled, places wsadmin command parameters into the (1) wsadmin.traceout and (2) trace.log files, which allows local users to obtain potentially sensitive information by reading these files.

CVE-2008-7274 [MEDIUM] CWE-20 CVE-2008-7274: IBM WebSphere Application Server (WAS) 6.1.0.9, when the JAAS Login functionality is enabled, allows IBM WebSphere Application Server (WAS) 6.1.0.9, when the JAAS Login functionality is enabled, allows attackers to perform an internal application hashtable login by (1) not providing a password or (2) providing an empty password.

CVE-2011-0316 [MEDIUM] CWE-264 CVE-2011-0316: The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 a The Administrative Console component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 does not properly restrict access to console servlets, which allows remote attackers to obtain potentially sensitive status information via a direct request.

CVE-2011-0315 [MEDIUM] CWE-79 CVE-2011-0315: Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component in IBM WebS Cross-site scripting (XSS) vulnerability in the Servlet Engine / Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to the lack of an error page for an application.

CVE-2010-0786 [MEDIUM] CWE-20 CVE-2010-0786: The Web Services Security component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 do The Web Services Security component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 does not properly implement the Java API for XML Web Services (aka JAX-WS), which allows remote attackers to cause a denial of service (data corruption) via a crafted JAX-WS request that leads to incorrectly encoded data.

CVE-2010-0784 [MEDIUM] CWE-79 CVE-2010-0784: Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2010-0783 [MEDIUM] CWE-79 CVE-2010-0783: Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2010-4220 [MEDIUM] CWE-79 CVE-2010-4220: Cross-site scripting (XSS) vulnerability in the Integrated Solution Console in the Administrative Co Cross-site scripting (XSS) vulnerability in the Integrated Solution Console in the Administrative Console component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."

CVE-2010-0785 [MEDIUM] CWE-352 CVE-2010-0785: Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Appli Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2010-3700 [MEDIUM] CWE-264 CVE-2010-3700: VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.

CVE-2010-0781 [MEDIUM] CVE-2010-0781: Unspecified vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6. Unspecified vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted URL.