Ibm Websphere Application Server vulnerabilities
451 known vulnerabilities affecting ibm/websphere_application_server.
Total CVEs
451
CISA KEV
1
actively exploited
Public exploits
13
Exploited in wild
2
Severity breakdown
CRITICAL53HIGH95MEDIUM263LOW40
Vulnerabilities
Page 17 of 23
CVE-2010-0774MEDIUMCVSS 4.3v6.0v6.0.0.1+74 more2010-05-17
CVE-2010-0774 [MEDIUM] CWE-264 CVE-2010-0774: The (1) JAX-RPC WS-Security 1.0 and (2) JAX-WS runtime implementations in IBM WebSphere Application
The (1) JAX-RPC WS-Security 1.0 and (2) JAX-WS runtime implementations in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 do not properly handle WebServices PKCS#7 and PKIPath tokens, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
nvd
CVE-2010-0777LOWCVSS 2.6v6.0v6.0.0.1+74 more2010-05-17
CVE-2010-0777 [LOW] CWE-20 CVE-2010-0777: The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31
The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle long filenames and consequently sends an incorrect file in some responses, which allows remote attackers to obtain sensitive information by reading the retrieved file.
nvd
CVE-2010-1651LOWCVSS 1.9v6.1v6.1.0+42 more2010-05-03
CVE-2010-1651 [LOW] CWE-310 CVE-2010-1651: IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.31 and 7.0.x before 7.0.0.11, when Basic a
IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.31 and 7.0.x before 7.0.0.11, when Basic authentication and SIP tracing (aka full trace logging for SIP) are enabled, logs the entirety of all inbound and outbound SIP messages, which allows local users to obtain sensitive information by reading the trace log.
nvd
CVE-2010-1650LOWCVSS 1.9v6.0v6.0.0.1+92 more2010-05-03
CVE-2010-1650 [LOW] CWE-310 CVE-2010-1650: IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.41, 6.1.x before 6.1.0.31, and 7.0.x befor
IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.41, 6.1.x before 6.1.0.31, and 7.0.x before 7.0.0.11, when the -trace option (aka debugging mode) is enabled, executes debugging statements that print string representations of unspecified objects, which allows attackers to obtain sensitive information by reading the trace output.
nvd
CVE-2010-0768MEDIUMCVSS 4.3≤ 6.0.2.39v6.0.2+41 more2010-04-01
CVE-2010-0768 [MEDIUM] CWE-79 CVE-2010-0768: Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application
Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 allows remote attackers to inject arbitrary web script or HTML via the URI.
nvd
CVE-2010-0770MEDIUMCVSS 4.0≤ 6.0.2.39v6.0+46 more2010-04-01
CVE-2010-0770 [MEDIUM] CWE-399 CVE-2010-0770: IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.
IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 allows remote authenticated users to cause a denial of service (ORB ListenerThread hang) by aborting an SSL handshake.
nvd
CVE-2010-0769LOWCVSS 1.9≤ 6.0.2.39v6.0+46 more2010-04-01
CVE-2010-0769 [LOW] CWE-255 CVE-2010-0769: IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.
IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 does not properly define wsadmin scripting J2CConnectionFactory objects, which allows local users to discover a KeyRingPassword password by reading a cleartext field in the resources.xml file.
nvd
CVE-2010-1182HIGHCVSS 7.5v7.0v7.0.0.1+7 more2010-03-29
CVE-2010-1182 [HIGH] CVE-2010-1182: Multiple unspecified vulnerabilities in the administrative console in IBM WebSphere Application Serv
Multiple unspecified vulnerabilities in the administrative console in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.9 on z/OS have unknown impact and attack vectors.
nvd
CVE-2010-0425CRITICALCVSS 10.0PoC≥ 6.1, < 6.1.0.312010-03-05
CVE-2010-0425 [CRITICAL] CVE-2010-0425: modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 t
modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related t
nvd
CVE-2010-0563MEDIUMCVSS 5.0v7.0v7.0.0.1+4 more2010-02-08
CVE-2010-0563 [MEDIUM] CWE-200 CVE-2010-0563: The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0
The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0.0.8 does not recognize the Requires SSL configuration option, which might allow remote attackers to obtain sensitive information by sniffing network sessions that were expected to be encrypted.
nvd
CVE-2009-2749MEDIUMCVSS 6.4v7.0.0.72009-12-08
CVE-2009-2749 [MEDIUM] CWE-310 CVE-2009-2749: Feature Pack for Communications Enabled Applications (CEA) before 1.0.0.1 for IBM WebSphere Applicat
Feature Pack for Communications Enabled Applications (CEA) before 1.0.0.1 for IBM WebSphere Application Server 7.0.0.7 uses predictable session values, which allows man-in-the-middle attackers to spoof a collaboration session by guessing the value.
nvd
CVE-2009-2746MEDIUMCVSS 6.8v6.0.2v6.0.2.1+55 more2009-11-16
CVE-2009-2746 [MEDIUM] CWE-352 CVE-2009-2746: Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security compon
Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
nvd
CVE-2009-2744HIGHCVSS 7.8v6.1v6.1.0+27 more2009-09-21
CVE-2009-2744 [HIGH] CVE-2009-2744: Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remot
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remote attackers to cause a denial of service via unknown vectors, related to "an error in fixpacks 6.1.0.23 and 6.1.0.25."
nvd
CVE-2009-2742MEDIUMCVSS 4.3v6.1v6.1.0.1+13 more2009-09-21
CVE-2009-2742 [MEDIUM] CWE-79 CVE-2009-2742: Cross-site scripting (XSS) vulnerability in Eclipse Help in IBM WebSphere Application Server (WAS) 6
Cross-site scripting (XSS) vulnerability in Eclipse Help in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remote attackers to inject arbitrary web script or HTML via unspecified input.
nvd
CVE-2009-2743LOWCVSS 2.1v6.1v6.1.0.1+20 more2009-09-21
CVE-2009-2743 [LOW] CVE-2009-2743: IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27, and 7.0 before 7.0.0.7, does not properl
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27, and 7.0 before 7.0.0.7, does not properly handle an exception occurring after use of wsadmin scripts and configuration of JAAS-J2C Authentication Data, which allows local users to obtain sensitive information by reading the First Failure Data Capture (FFDC) log file.
nvd
CVE-2009-3106MEDIUMCVSS 5.0v6.0.2v6.0.2.1+32 more2009-09-08
CVE-2009-3106 [MEDIUM] CWE-264 CVE-2009-3106: The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.
The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.37 does not properly implement security constraints on the (1) doGet and (2) doTrace methods, which allows remote attackers to bypass intended access restrictions and obtain sensitive information via a crafted HTTP HEAD request to a Web Application.
nvd
CVE-2009-2088HIGHCVSS 7.5v6.1v6.1.0+29 more2009-08-13
CVE-2009-2088 [HIGH] CWE-287 CVE-2009-2088: The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.
The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a "secure URL," related to a certain invokefilterscompatibility property
nvd
CVE-2009-2092HIGHCVSS 7.5v7.0v7.0.0.1+2 more2009-08-13
CVE-2009-2092 [HIGH] CWE-284 CVE-2009-2092: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 does not properly read the portletServingE
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 does not properly read the portletServingEnabled parameter in ibm-portlet-ext.xmi, which allows remote attackers to bypass intended access restrictions via unknown vectors.
nvd
CVE-2009-2085HIGHCVSS 7.5v6.1v6.1.0+29 more2009-08-13
CVE-2009-2085 [HIGH] CWE-287 CVE-2009-2085: The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before
The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB).
nvd
CVE-2009-2090MEDIUMCVSS 5.0v7.0v7.0.0.1+2 more2009-08-13
CVE-2009-2090 [MEDIUM] CVE-2009-2090: Unspecified vulnerability in wsadmin in the System Management/Repository component in IBM WebSphere
Unspecified vulnerability in wsadmin in the System Management/Repository component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 allows remote attackers to bypass intended Java Management Extensions (JMX) Management Beans (aka MBeans) access restrictions, and cause a denial of service (daemon stop), via unknown vectors.
nvd