CVSS: 1.9EPSS: 0%CPEs: 48EXPL: 0CVE-2010-0769
https://notcve.org/view.php?id=CVE-2010-0769
IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 does not properly define wsadmin scripting J2CConnectionFactory objects, which allows local users to discover a KeyRingPassword password by reading a cleartext field in the resources.xml file. IBM WebSphere Application Server (WAS) 6.0 en versiones anteriores a la 6.0.2.41, 6.1 en versiones anteriores a la 6.1.0.31 y 7.0 en versiones anteriores a la 7.0.0.9 no define de manera apropiada los objetos J2CConnectionFactory scripting wsadmin, lo que permite a atacantes locales descubrir una password KeyRingPassword mediante la lectura de un campo cleartext en el fichero resources.xml. • http://secunia.com/advisories/39140 http://www-01.ibm.com/support/docview.wss?uid=swg1PK95089 https://exchange.xforce.ibmcloud.com/vulnerabilities/57185 • CWE-255: Credentials Management Errors •
CVSS: 6.8EPSS: 0%CPEs: 59EXPL: 0CVE-2009-2746
https://notcve.org/view.php?id=CVE-2009-2746
Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 allows remote attackers to hijack the authentication of administrators via unspecified vectors. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en la consola de administración en el componente Security en IBM WebSphere Application Server (WAS) v6.0.2 anteriores a v6.0.2.39, v6.1 anteriores a v6.1.0.29, y v7.0 anteriores a v7.0.0.7 permite a atacantes remotos secuestrar la autenticación de administradores mediante vectores no especificados. • http://secunia.com/advisories/37221 http://www-01.ibm.com/support/docview.wss?uid=swg1PK87176 http://www-01.ibm.com/support/docview.wss?uid=swg1PK99477 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 https://exchange.xforce.ibmcloud.com/vulnerabilities/54227 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 2.1EPSS: 0%CPEs: 22EXPL: 0CVE-2009-2743
https://notcve.org/view.php?id=CVE-2009-2743
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27, and 7.0 before 7.0.0.7, does not properly handle an exception occurring after use of wsadmin scripts and configuration of JAAS-J2C Authentication Data, which allows local users to obtain sensitive information by reading the First Failure Data Capture (FFDC) log file. En WebSphere Application Server (WAS) de IBM versiones 6.1 anteriores a 6.1.0.27 y versiones 7.0 anteriores a 7.0.0.7, no manejan apropiadamente una excepción que se produce después del uso de scripts wsadmin y la configuración de JAAS-J2C Authentication Data, que permite a los usuarios locales obtener información confidencial mediante la lectura del archivo de registro de First Failure Data Capture (FFDC). • http://secunia.com/advisories/37796 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK86137 http://www.vupen.com/english/advisories/2009/2721 https://exchange.xforce.ibmcloud.com/vulnerabilities/53343 •
CVSS: 7.5EPSS: 0%CPEs: 31EXPL: 0CVE-2009-2088
https://notcve.org/view.php?id=CVE-2009-2088
The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a "secure URL," related to a certain invokefilterscompatibility property. El componente Servlet Engine/Web Container en IBM WebSphere Application Server (WAS) v6.1 anterior a v6.1.0.25 y v7.0 anterior a v7.0.0.5, cuando SPNEGO Single Sign-on (SSO) y disableSecurityPreInvokeOnFilters son configurados, permite a los atacantes remotos evitar la autenticación a través de una petición a una "URL segura", relativa a cierta propiedad invokefilterscompatibility. • http://www-01.ibm.com/support/docview.wss?uid=swg24022479 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK77465 https://exchange.xforce.ibmcloud.com/vulnerabilities/52079 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 31EXPL: 0CVE-2009-2085
https://notcve.org/view.php?id=CVE-2009-2085
The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB). El componente Security en IBM WebSphere Application Server (WAS) v6.1 anterior a v6.1.0.25 y v7.0 anterior a v7.0.0.5 no maneja adecuadamente la Aserción de Identidad (Identity Assertion) con CSIv2 Security, lo que permite a atacantes remotos evitar las restricciones de acceso establecidas con CSIv2 a través de vectores que involucran la "Enterprise JavaBeans" (EJB). • http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK83097 https://exchange.xforce.ibmcloud.com/vulnerabilities/52076 • CWE-287: Improper Authentication •