Ibm Websphere Application Server vulnerabilities
442 known vulnerabilities affecting ibm/websphere_application_server.
Total CVEs
442
CISA KEV
1
actively exploited
Public exploits
13
Exploited in wild
2
Severity breakdown
CRITICAL49HIGH92MEDIUM261LOW40
Vulnerabilities
Page 16 of 23
CVE-2010-3186CRITICALCVSS 10.0v7.0v7.0.0.1+31 more2010-08-30
CVE-2010-3186 [CRITICAL] CWE-20 CVE-2010-3186: IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature
IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, when a JAX-WS application is used, does not properly handle an IncludeTimestamp setting in the WS-Security policy, which has unspecified impact and remote attack vectors.
nvd
CVE-2010-0779MEDIUMCVSS 4.3v6.1v6.1.0+52 more2010-06-24
CVE-2010-0779 [MEDIUM] CWE-79 CVE-2010-0779: Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2010-0778MEDIUMCVSS 4.3v6.1v6.1.0+24 more2010-06-24
CVE-2010-0778 [MEDIUM] CWE-79 CVE-2010-0778: Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2010-2324HIGHCVSS 7.5≤ 7.0.0.10v7.0+9 more2010-06-18
CVE-2010-2324 [HIGH] CVE-2010-2324: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows attackers to perform unspe
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows attackers to perform unspecified "link injection" actions via unknown vectors.
nvd
CVE-2010-2326MEDIUMCVSS 4.3v7.0v7.0.0.1+4 more2010-06-18
CVE-2010-2326 [MEDIUM] CWE-200 CVE-2010-2326: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11, when addNode -trace is used during node
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11, when addNode -trace is used during node federation, allows attackers to obtain sensitive information about CIMMetadataCollectorImpl trace actions by reading the addNode.log file.
nvd
CVE-2010-2325MEDIUMCVSS 4.3≤ 7.0.0.10v7.0+9 more2010-06-18
CVE-2010-2325 [MEDIUM] CWE-79 CVE-2010-2325: Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application
Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."
nvd
CVE-2010-2328MEDIUMCVSS 5.0v7.0v7.0.0.1+4 more2010-06-18
CVE-2010-2328 [MEDIUM] CVE-2010-2328: The HTTP Channel in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 allows remote attacke
The HTTP Channel in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (NullPointerException) via a large amount of chunked data that uses gzip compression.
nvd
CVE-2010-2327MEDIUMCVSS 4.3v6.0v6.0.0.1+52 more2010-06-18
CVE-2010-2327 [MEDIUM] CWE-20 CVE-2010-2327: mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11, as
mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11, as used in IBM WebSphere Application Server (WAS) on z/OS, does not properly handle a large HTTP request body in uploading over SSL, which might allow remote attackers to cause a denial of service (daemon fail) via an upload.
nvd
CVE-2010-2323MEDIUMCVSS 5.0≤ 7.0.0.10v7.0+9 more2010-06-18
CVE-2010-2323 [MEDIUM] CWE-200 CVE-2010-2323: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS might allow attackers to obtain s
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.11 on z/OS might allow attackers to obtain sensitive information by reading the default_create.log file that is associated with profile creation by the BBOWWPFx job and the zPMT.
nvd
CVE-2010-0775MEDIUMCVSS 5.0v6.0v6.0.0.1+74 more2010-05-17
CVE-2010-0775 [MEDIUM] CWE-399 CVE-2010-0775: Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (memory consumption and daemon crash) via a crafted request, related to the nodeagent and Deployment Manager components.
nvd
CVE-2010-0776MEDIUMCVSS 5.0v6.0v6.0.0.1+74 more2010-05-17
CVE-2010-0776 [MEDIUM] CWE-20 CVE-2010-0776: The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31
The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle chunked transfer encoding during a call to response.sendRedirect, which allows remote attackers to cause a denial of service via a GET request.
nvd
CVE-2010-0774MEDIUMCVSS 4.3v6.0v6.0.0.1+74 more2010-05-17
CVE-2010-0774 [MEDIUM] CWE-264 CVE-2010-0774: The (1) JAX-RPC WS-Security 1.0 and (2) JAX-WS runtime implementations in IBM WebSphere Application
The (1) JAX-RPC WS-Security 1.0 and (2) JAX-WS runtime implementations in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 do not properly handle WebServices PKCS#7 and PKIPath tokens, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
nvd
CVE-2010-0777LOWCVSS 2.6v6.0v6.0.0.1+74 more2010-05-17
CVE-2010-0777 [LOW] CWE-20 CVE-2010-0777: The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31
The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle long filenames and consequently sends an incorrect file in some responses, which allows remote attackers to obtain sensitive information by reading the retrieved file.
nvd
CVE-2010-1651LOWCVSS 1.9v6.1v6.1.0+42 more2010-05-03
CVE-2010-1651 [LOW] CWE-310 CVE-2010-1651: IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.31 and 7.0.x before 7.0.0.11, when Basic a
IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.31 and 7.0.x before 7.0.0.11, when Basic authentication and SIP tracing (aka full trace logging for SIP) are enabled, logs the entirety of all inbound and outbound SIP messages, which allows local users to obtain sensitive information by reading the trace log.
nvd
CVE-2010-1650LOWCVSS 1.9v6.0v6.0.0.1+92 more2010-05-03
CVE-2010-1650 [LOW] CWE-310 CVE-2010-1650: IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.41, 6.1.x before 6.1.0.31, and 7.0.x befor
IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.41, 6.1.x before 6.1.0.31, and 7.0.x before 7.0.0.11, when the -trace option (aka debugging mode) is enabled, executes debugging statements that print string representations of unspecified objects, which allows attackers to obtain sensitive information by reading the trace output.
nvd
CVE-2010-0768MEDIUMCVSS 4.3≤ 6.0.2.39v6.0.2+41 more2010-04-01
CVE-2010-0768 [MEDIUM] CWE-79 CVE-2010-0768: Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 allows remote attackers to inject arbitrary web script or HTML via the URI.
nvd
CVE-2010-0770MEDIUMCVSS 4.0≤ 6.0.2.39v6.0+46 more2010-04-01
CVE-2010-0770 [MEDIUM] CWE-399 CVE-2010-0770: IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.
IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 allows remote authenticated users to cause a denial of service (ORB ListenerThread hang) by aborting an SSL handshake.
nvd
CVE-2010-0769LOWCVSS 1.9≤ 6.0.2.39v6.0+46 more2010-04-01
CVE-2010-0769 [LOW] CWE-255 CVE-2010-0769: IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.
IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 does not properly define wsadmin scripting J2CConnectionFactory objects, which allows local users to discover a KeyRingPassword password by reading a cleartext field in the resources.xml file.
nvd
CVE-2010-1182HIGHCVSS 7.5v7.0v7.0.0.1+7 more2010-03-29
CVE-2010-1182 [HIGH] CVE-2010-1182: Multiple unspecified vulnerabilities in the administrative console in IBM WebSphere Application Serv
Multiple unspecified vulnerabilities in the administrative console in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.9 on z/OS have unknown impact and attack vectors.
nvd
CVE-2010-0425CRITICALCVSS 10.0PoC≥ 6.1, < 6.1.0.312010-03-05
CVE-2010-0425 [CRITICAL] CVE-2010-0425: modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 t
modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related t
nvd