CVSS: 5.0EPSS: 0%CPEs: 33EXPL: 0CVE-2009-1898
https://notcve.org/view.php?id=CVE-2009-1898
The secure login page in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 does not redirect to an https page upon receiving an http request, which makes it easier for remote attackers to read the contents of WAS sessions by sniffing the network. la página de "secure login" en el componente Administrative console en IBM WebSphere Application Server (WAS)v6.0.2 anterior a v6.0.2.35 no redirecciona a una página https hasta que recibe una petición http, lo que facilita a atacantes remotos la lectura de los contenidos de las sesiones WAS capturando paquetes de la red. • http://secunia.com/advisories/35301 http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-1.ibm.com/support/docview.wss?uid=swg1PK77010 http://www.securityfocus.com/bid/35405 http://www.vupen.com/english/advisories/2009/1464 https://exchange.xforce.ibmcloud.com/vulnerabilities/51170 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 33EXPL: 0CVE-2009-1901
https://notcve.org/view.php?id=CVE-2009-1901
The Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 permits "non-standard http methods," which has unknown impact and remote attack vectors. El componente Security en IBM WebSphere Application Server (WAS) v6.0.2 anterior a v6.0.2.35 permite ·métodos http no estándares" que tienen vectores de ataque e impacto desconocidos. • http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-1.ibm.com/support/docview.wss?uid=swg1PK73246 http://www.securityfocus.com/bid/35405 http://www.vupen.com/english/advisories/2009/1464 https://exchange.xforce.ibmcloud.com/vulnerabilities/51173 •
CVSS: 5.5EPSS: 0%CPEs: 59EXPL: 0CVE-2009-0891
https://notcve.org/view.php?id=CVE-2009-0891
The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks. El componente Web Services Security en IBM WebSphere Application Server v7.0 anterior a Fix Pack 1 (v7.0.0.1), v6.1 anterior a Fix Pack 23 (v6.1.0.23),y v6.0.2 anterior Fix Pack 33 (v6.0.2.33) no respeta los valores (1)nonce y (2)timestamp expiration en los vínculos WS-Security tal y como se almacenan en la propiedad com.ibm.wsspi.wssecurity.core, lo que permite a usuarios remotos autenticados dirigir ataques de hijacking de sesión. • http://secunia.com/advisories/34131 http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/search.wss?rs=0&q=PK66676&apar=only https://exchange.xforce.ibmcloud.com/vulnerabilities/49391 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 34EXPL: 0CVE-2009-0508
https://notcve.org/view.php?id=CVE-2009-0508
The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-based applications and (b) the administrative console. El componente Servlet Engine/Web Container en IBM WebSphere Application Server (WAS) v5.1.0, v5.1.1.19, v6.0.2 anteriores a v6.0.2.35, v6.1 anteriores a v6.1.0.23, y v7.0 anteriores a v7.0.0.3 permite a atacantes remotos leer ficheros de su elección contenidos en los fichero "war" de (1) el directorio web-inf, (2) el directorio "meta-inf", y otros directorios no especificados mediante vectores desconocidos, relacionados con (a) aplicaciones web y (b) la consola de administración. • http://secunia.com/advisories/34283 http://secunia.com/advisories/34876 http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24022456 http://www-01.ibm.com/support/docview.wss?uid=swg1PK81387 http://www-01.ibm.com/support/docview.wss?uid=swg21380233 http://www-01.ibm.com/support/docview.wss?uid=swg21380376 http://www-01.ibm.com/support/docview.wss? • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.2EPSS: 0%CPEs: 14EXPL: 0CVE-2009-0506
https://notcve.org/view.php?id=CVE-2009-0506
Unspecified vulnerability in IBM WebSphere Application Server (WAS) 5.1 and 6.0.2 before 6.0.2.33 on z/OS, when CSIv2 Identity Assertion is enabled and Enterprise JavaBeans (EJB) interaction occurs between a WAS 6.1 instance and a WAS pre-6.1 instance, allows local users to have an unknown impact via vectors related to (1) use of the wrong subject and (2) multiple CBIND checks. Vulnerabilidad sin especificar en IBM WebSphere Application Server (WAS) v5.1 y v6.0.2 anterior a v6.0.2.33 sobre z/OS, cuando está activado CSIv2 Identity Assertion y la interacción de Enterprise JavaBeans (EJB) ocurre entre una instancia de WAS v6.1 y WAS pre-6.1, permite a usuarios locales tener un impacto desconocido a través de vectores relacionados con (1) un uso del sujeto erróneo y (2)múltiples comprobaciones CBIND. • http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-1.ibm.com/support/docview.wss?uid=swg1PK71143 http://www.securityfocus.com/bid/33884 https://exchange.xforce.ibmcloud.com/vulnerabilities/48886 •