Ibm Websphere Application Server vulnerabilities

CVE-2010-0563 [MEDIUM] CWE-200 CVE-2010-0563: The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0 The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0.0.8 does not recognize the Requires SSL configuration option, which might allow remote attackers to obtain sensitive information by sniffing network sessions that were expected to be encrypted.

CVE-2009-2749 [MEDIUM] CWE-310 CVE-2009-2749: Feature Pack for Communications Enabled Applications (CEA) before 1.0.0.1 for IBM WebSphere Applicat Feature Pack for Communications Enabled Applications (CEA) before 1.0.0.1 for IBM WebSphere Application Server 7.0.0.7 uses predictable session values, which allows man-in-the-middle attackers to spoof a collaboration session by guessing the value.

CVE-2009-2746 [MEDIUM] CWE-352 CVE-2009-2746: Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security compon Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

CVE-2009-2744 [HIGH] CVE-2009-2744: Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remot Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remote attackers to cause a denial of service via unknown vectors, related to "an error in fixpacks 6.1.0.23 and 6.1.0.25."

CVE-2009-2742 [MEDIUM] CWE-79 CVE-2009-2742: Cross-site scripting (XSS) vulnerability in Eclipse Help in IBM WebSphere Application Server (WAS) 6 Cross-site scripting (XSS) vulnerability in Eclipse Help in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remote attackers to inject arbitrary web script or HTML via unspecified input.

CVE-2009-2743 [LOW] CVE-2009-2743: IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27, and 7.0 before 7.0.0.7, does not properl IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27, and 7.0 before 7.0.0.7, does not properly handle an exception occurring after use of wsadmin scripts and configuration of JAAS-J2C Authentication Data, which allows local users to obtain sensitive information by reading the First Failure Data Capture (FFDC) log file.

CVE-2009-3106 [MEDIUM] CWE-264 CVE-2009-3106: The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.0.2 before 6. The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.37 does not properly implement security constraints on the (1) doGet and (2) doTrace methods, which allows remote attackers to bypass intended access restrictions and obtain sensitive information via a crafted HTTP HEAD request to a Web Application.

CVE-2009-2088 [HIGH] CWE-287 CVE-2009-2088: The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1. The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a "secure URL," related to a certain invokefilterscompatibility property

CVE-2009-2092 [HIGH] CWE-284 CVE-2009-2092: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 does not properly read the portletServingE IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 does not properly read the portletServingEnabled parameter in ibm-portlet-ext.xmi, which allows remote attackers to bypass intended access restrictions via unknown vectors.

CVE-2009-2085 [HIGH] CWE-287 CVE-2009-2085: The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB).

CVE-2009-2090 [MEDIUM] CVE-2009-2090: Unspecified vulnerability in wsadmin in the System Management/Repository component in IBM WebSphere Unspecified vulnerability in wsadmin in the System Management/Repository component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 allows remote attackers to bypass intended Java Management Extensions (JMX) Management Beans (aka MBeans) access restrictions, and cause a denial of service (daemon stop), via unknown vectors.

CVE-2009-0906 [MEDIUM] CWE-287 CVE-2009-0906: The Service Component Architecture (SCA) feature pack for IBM WebSphere Application Server (WAS) SCA The Service Component Architecture (SCA) feature pack for IBM WebSphere Application Server (WAS) SCA 1.0 before 1.0.0.3 allows remote authenticated users to bypass intended authentication.transport access restrictions and obtain unspecified access via unknown vectors.

CVE-2009-2091 [MEDIUM] CWE-264 CVE-2009-2091: The System Management/Repository component in IBM WebSphere Application Server (WAS) 7.0 before 7.0. The System Management/Repository component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 on z/OS uses weak file permissions for new applications, which allows remote attackers to obtain sensitive information via unspecified vectors.

CVE-2009-2089 [LOW] CWE-16 CVE-2009-2089: The Migration component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before The Migration component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when tracing is enabled and a 6.1 to 7.0 migration has occurred, allows remote authenticated users to obtain sensitive information by reading a Migration Trace file.

CVE-2009-2087 [LOW] CWE-255 CVE-2009-2087: The Web Services functionality in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 The Web Services functionality in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, in certain circumstances involving the ibm-webservicesclient-bind.xmi file and custom password encryption, uses weak password obfuscation, which allows local users to cause a denial of service (deployment failure) via unspecified vectors.

CVE-2009-0217 [MEDIUM] CVE-2009-0217: The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented i The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.

CVE-2009-0904 [MEDIUM] CWE-264 CVE-2009-0904: The IBM Stax XMLStreamWriter in the Web Services component in IBM WebSphere Application Server (WAS) The IBM Stax XMLStreamWriter in the Web Services component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 does not properly process XML encoding, which allows remote attackers to bypass intended access restrictions and possibly modify data via "XML fuzzing attacks" sent through SOAP requests.

CVE-2009-0903 [HIGH] CVE-2009-0903: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for WAS 6.1 before 6.1.0.25, when a WS-Security policy is established at the operation level, does not properly handle inbound requests that lack a SOAPAction or WS-Addressing Action, which allows remote attackers to bypass intended access restrictions via a crafted

CVE-2009-1901 [CRITICAL] CVE-2009-1901: The Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 permits "non- The Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 permits "non-standard http methods," which has unknown impact and remote attack vectors.

CVE-2009-1899 [CRITICAL] CVE-2009-1899: Unspecified vulnerability in the Administrative Configservice API in the System Management/Repositor Unspecified vulnerability in the Administrative Configservice API in the System Management/Repository component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5 on z/OS allows remote authenticated users to obtain sensitive information via unknown use of the wsadmin scripting tool, related to a "sec