Ibm Websphere Application Server vulnerabilities

CVE-2009-0906 [MEDIUM] CWE-287 CVE-2009-0906: The Service Component Architecture (SCA) feature pack for IBM WebSphere Application Server (WAS) SCA The Service Component Architecture (SCA) feature pack for IBM WebSphere Application Server (WAS) SCA 1.0 before 1.0.0.3 allows remote authenticated users to bypass intended authentication.transport access restrictions and obtain unspecified access via unknown vectors.

CVE-2009-2091 [MEDIUM] CWE-264 CVE-2009-2091: The System Management/Repository component in IBM WebSphere Application Server (WAS) 7.0 before 7.0. The System Management/Repository component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 on z/OS uses weak file permissions for new applications, which allows remote attackers to obtain sensitive information via unspecified vectors.

CVE-2009-2089 [LOW] CWE-16 CVE-2009-2089: The Migration component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before The Migration component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when tracing is enabled and a 6.1 to 7.0 migration has occurred, allows remote authenticated users to obtain sensitive information by reading a Migration Trace file.

CVE-2009-2087 [LOW] CWE-255 CVE-2009-2087: The Web Services functionality in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 The Web Services functionality in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, in certain circumstances involving the ibm-webservicesclient-bind.xmi file and custom password encryption, uses weak password obfuscation, which allows local users to cause a denial of service (deployment failure) via unspecified vectors.

CVE-2009-0217 [MEDIUM] CVE-2009-0217: The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented i The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.

CVE-2009-0904 [MEDIUM] CWE-264 CVE-2009-0904: The IBM Stax XMLStreamWriter in the Web Services component in IBM WebSphere Application Server (WAS) The IBM Stax XMLStreamWriter in the Web Services component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 does not properly process XML encoding, which allows remote attackers to bypass intended access restrictions and possibly modify data via "XML fuzzing attacks" sent through SOAP requests.

CVE-2009-0903 [HIGH] CVE-2009-0903: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for WAS 6.1 before 6.1.0.25, when a WS-Security policy is established at the operation level, does not properly handle inbound requests that lack a SOAPAction or WS-Addressing Action, which allows remote attackers to bypass intended access restrictions via a crafted

CVE-2009-1901 [CRITICAL] CVE-2009-1901: The Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 permits "non- The Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 permits "non-standard http methods," which has unknown impact and remote attack vectors.

CVE-2009-1899 [CRITICAL] CVE-2009-1899: Unspecified vulnerability in the Administrative Configservice API in the System Management/Repositor Unspecified vulnerability in the Administrative Configservice API in the System Management/Repository component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5 on z/OS allows remote authenticated users to obtain sensitive information via unknown use of the wsadmin scripting tool, related to a "sec

CVE-2009-1900 [MEDIUM] CWE-200 CVE-2009-1900: The Configservice APIs in the Administrative Console component in IBM WebSphere Application Server ( The Configservice APIs in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5, when tracing is enabled, allow remote attackers to obtain sensitive information via unspecified use of the wsadmin scripting tool.

CVE-2009-1898 [MEDIUM] CWE-200 CVE-2009-1898: The secure login page in the Administrative Console component in IBM WebSphere Application Server (W The secure login page in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 does not redirect to an https page upon receiving an http request, which makes it easier for remote attackers to read the contents of WAS sessions by sniffing the network.

CVE-2009-0899 [MEDIUM] CWE-264 CVE-2009-0899: IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.24 and 7.0 through 7.0.0.4, IBM WebSphere P IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.24 and 7.0 through 7.0.0.4, IBM WebSphere Portal Server 5.1 through 6.0, and IBM Integrated Solutions Console (ISC) 6.0.1 do not properly set the IsSecurityEnabled security flag during migration of WebSphere Member Manager (WMM) to Virtual Member Manager (VMM) and a Federated Repository, which a

CVE-2009-1172 [CRITICAL] CWE-20 CVE-2009-1172: The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3, when APAR PK41002 is installed, does not properly validate UsernameToken objects, which has unknown impact and attack vectors.

CVE-2009-1174 [CRITICAL] CWE-310 CVE-2009-1174: The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 and 7.0 before 7.0.0.3 has an unspecified "security problem" in the XML digital-signature specification, which has unknown impact and attack vectors.

CVE-2009-0892 [MEDIUM] CWE-287 CVE-2009-0892: The administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 bef The administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3 allows attackers to hijack user sessions in "specific scenarios" related to a forced logout.

CVE-2009-1173 [LOW] CWE-264 CVE-2009-1173: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 uses weak permissions (777) for files asso IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 uses weak permissions (777) for files associated with unspecified "interim fixes," which allows attackers to modify files that would not have been accessible if the intended 755 permissions were used.

CVE-2009-0891 [MEDIUM] CWE-287 CVE-2009-0891: The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0 The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows r

CVE-2009-0508 [HIGH] CWE-200 CVE-2009-0508: The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-bas

CVE-2009-0855 [MEDIUM] CWE-79 CVE-2009-0855: Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Cross-site scripting (XSS) vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2009-0856 [MEDIUM] CWE-79 CVE-2009-0856: Multiple cross-site scripting (XSS) vulnerabilities in sample applications in IBM WebSphere Applicat Multiple cross-site scripting (XSS) vulnerabilities in sample applications in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, and 6.1 before 6.1.0.23 on z/OS, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.