Ibm Websphere Application Server vulnerabilities

CVE-2016-0378 [LOW] CWE-200 CVE-2016-0378: IBM WebSphere Application Server (WAS) Liberty before 16.0.0.3, when the installation lacks a defaul IBM WebSphere Application Server (WAS) Liberty before 16.0.0.3, when the installation lacks a default error page, allows remote attackers to obtain sensitive information by triggering an exception.

CVE-2016-0377 [MEDIUM] CWE-200 CVE-2016-0377: The Administrative Console in IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x befo The Administrative Console in IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, and 8.5.x before 8.5.5.10 mishandles CSRFtoken cookies, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2016-5983 [HIGH] CWE-284 CVE-2016-5983: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11 IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2, and Liberty before 16.0.0.4 allows remote authenticated users to execute arbitrary Java code via a crafted serialized object.

CVE-2016-5986 [HIGH] CWE-200 CVE-2016-5986: IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, 8.5.x before 8.5. IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, 8.5.x before 8.5.5.11, 9.0.x before 9.0.0.2, and Liberty before 16.0.0.3 mishandles responses, which allows remote attackers to obtain sensitive information via unspecified vectors.

CVE-2016-0385 [LOW] CWE-119 CVE-2016-0385: Buffer overflow in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, Buffer overflow in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.10, 9.0 before 9.0.0.1, and Liberty before 16.0.0.3, when HttpSessionIdReuse is enabled, allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2016-2960 [LOW] CWE-284 CVE-2016-2960: IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.0.x before 8.0.0.13, 8.5.0.x before IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.0.x before 8.0.0.13, 8.5.0.x before 8.5.5.10, 8.5.0.x and 16.0.0.x Liberty before Liberty Fix Pack 16.0.0.3, and 9.0.0.x before 9.0.0.1 allows remote attackers to cause a denial of service via crafted SIP messages.

CVE-2016-2945 [HIGH] CWE-264 CVE-2016-2945: The API Discovery implementation in IBM WebSphere Application Server (WAS) 8.5.5.8 through 8.5.5.9 L The API Discovery implementation in IBM WebSphere Application Server (WAS) 8.5.5.8 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 allows remote authenticated users to gain privileges via an external reference in a Swagger document.

CVE-2016-2923 [HIGH] CWE-200 CVE-2016-2923: IBM WebSphere Application Server (WAS) 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 IBM WebSphere Application Server (WAS) 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified JAX-RS API cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2016-0389 [MEDIUM] CWE-200 CVE-2016-0389: Admin Center in IBM WebSphere Application Server (WAS) 8.5.5.2 through 8.5.5.9 Liberty before Libert Admin Center in IBM WebSphere Application Server (WAS) 8.5.5.2 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 allows remote attackers to obtain sensitive information via unspecified vectors.

CVE-2016-0359 [MEDIUM] CVE-2016-0359: CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 befo CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 Full before 8.5.5.10, and 8.5 Liberty before Liberty Fix Pack 16.0.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.

CVE-2015-5041 [CRITICAL] CWE-200 CVE-2015-5041: The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R1 before SR8 FP20, 7 before SR The J9 JVM in IBM SDK, Java Technology Edition 6 before SR16 FP20, 6 R1 before SR8 FP20, 7 before SR9 FP30, and 7 R1 before SR3 FP30 allows remote attackers to obtain sensitive information or inject data by invoking non-public interface methods.

CVE-2016-0306 [MEDIUM] CWE-200 CVE-2016-0306: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.41, 8.0 before 8.0.0.13, and 8.5 before 8.5. IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.41, 8.0 before 8.0.0.13, and 8.5 before 8.5.5.10, when FIPS 140-2 is enabled, misconfigures TLS, which allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors.

CVE-2016-0283 [MEDIUM] CWE-79 CVE-2016-0283: Cross-site scripting (XSS) vulnerability in the OpenID Connect (OIDC) client web application in IBM Cross-site scripting (XSS) vulnerability in the OpenID Connect (OIDC) client web application in IBM WebSphere Application Server (WAS) Liberty Profile 8.5.5 before 8.5.5.9 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2015-7417 [MEDIUM] CWE-79 CVE-2015-7417: Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server 7.0 before 7.0.0.41, 8. Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server 7.0 before 7.0.0.41, 8.0 before 8.0.0.12, and 8.5 before 8.5.5.9 allows remote authenticated users to inject arbitrary web script or HTML via crafted data from an OAuth provider.

CVE-2015-7450 [CRITICAL] CWE-502 CVE-2015-7450: Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastruct Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.

CVE-2015-5004 [MEDIUM] CWE-200 CVE-2015-5004: The Edge Component Caching Proxy in IBM WebSphere Application Server (WAS) 8.0 before 8.0.0.12 and 8 The Edge Component Caching Proxy in IBM WebSphere Application Server (WAS) 8.0 before 8.0.0.12 and 8.5 before 8.5.5.8 does not properly encrypt data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-2017 [MEDIUM] CVE-2015-2017: CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 bef CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.12, and 8.5 before 8.5.5.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.

CVE-2015-4938 [MEDIUM] CVE-2015-4938: IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0.0.11, and 8.5.x before 8.5.5. IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0.0.11, and 8.5.x before 8.5.5.7 allows remote attackers to spoof servlets and obtain sensitive information via unspecified vectors.

CVE-2015-1932 [MEDIUM] CWE-200 CVE-2015-1932: IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0.0.11, and 8.5.x before 8.5.5. IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0.0.11, and 8.5.x before 8.5.5.7 and WebSphere Virtual Enterprise before 7.0.0.7 allow remote attackers to obtain potentially sensitive information about the proxy-server software by reading the HTTP Via header.

CVE-2015-1936 [MEDIUM] CWE-284 CVE-2015-1936: The administrative console in IBM WebSphere Application Server (WAS) 8.0.0 before 8.0.0.11 and 8.5 b The administrative console in IBM WebSphere Application Server (WAS) 8.0.0 before 8.0.0.11 and 8.5 before 8.5.5.6, when the Security feature is disabled, allows remote authenticated users to hijack sessions via the JSESSIONID parameter.