Page 21 of 132 results (0.017 seconds)

CVSS: 7.5EPSS: 0%CPEs: 31EXPL: 0

The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB). El componente Security en IBM WebSphere Application Server (WAS) v6.1 anterior a v6.1.0.25 y v7.0 anterior a v7.0.0.5 no maneja adecuadamente la Aserción de Identidad (Identity Assertion) con CSIv2 Security, lo que permite a atacantes remotos evitar las restricciones de acceso establecidas con CSIv2 a través de vectores que involucran la "Enterprise JavaBeans" (EJB). • http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK83097 https://exchange.xforce.ibmcloud.com/vulnerabilities/52076 • CWE-287: Improper Authentication •

CVSS: 7.5EPSS: 0%CPEs: 31EXPL: 0

The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a "secure URL," related to a certain invokefilterscompatibility property. El componente Servlet Engine/Web Container en IBM WebSphere Application Server (WAS) v6.1 anterior a v6.1.0.25 y v7.0 anterior a v7.0.0.5, cuando SPNEGO Single Sign-on (SSO) y disableSecurityPreInvokeOnFilters son configurados, permite a los atacantes remotos evitar la autenticación a través de una petición a una "URL segura", relativa a cierta propiedad invokefilterscompatibility. • http://www-01.ibm.com/support/docview.wss?uid=swg24022479 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK77465 https://exchange.xforce.ibmcloud.com/vulnerabilities/52079 • CWE-287: Improper Authentication •

CVSS: 2.1EPSS: 0%CPEs: 31EXPL: 0

The Migration component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when tracing is enabled and a 6.1 to 7.0 migration has occurred, allows remote authenticated users to obtain sensitive information by reading a Migration Trace file. El componente Migration en IBM WebSphere Application Server (WAS) v6.1 anteriores a v6.1.0.25 y v7.0 anteriores a v7.0.0.5, cuando cuando la traza está habilitada y una migración de 6.0 a 7.0 ha sucedido, lo que permite a los usuarios remotos autenticados obtener información sensible leyendo un archivo Migration Trace. • http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK80337 http://www.securityfocus.com/bid/36156 https://exchange.xforce.ibmcloud.com/vulnerabilities/52081 • CWE-16: Configuration •

CVSS: 5.0EPSS: 97%CPEs: 93EXPL: 0

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. El diseño de la recomendación de W3C XML Signature Syntax and Processing (XMLDsig), tal y como es implementado en productos que incluyen (1) el componente Oracle Security Developer Tools de Application Server de Oracle en versiones 10.1.2.3, 10.1.3.4 y 10.1.4.3IM; (2) el componente WebLogic Server de Product Suite de BEA en las versiones 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0 y 8.1 SP6; (3) Mono anterior a versión 2.4.2.2; (4) XML Security Library anterior a versión 1.2.12; (5) WebSphere Application Server de IBM versiones 6.0 hasta 6.0.2.33, versiones 6.1 hasta 6.1.0.23 y versiones 7.0 hasta 7.0.0.1; (6) JDK y JRE de Sun Update 14 y versiones anteriores; (7) .NET Framework de Microsoft versiones 3.0 hasta 3.0 SP2, versiones 3.5 y 4.0; y otros productos utilizan un parámetro que define una longitud de truncamiento HMAC (HMACOutputLength) pero no requiere un mínimo para esta longitud, lo que permite a los atacantes suplantar firmas basadas en HMAC y omitir la autenticación mediante la especificación de una longitud de truncamiento con un pequeño número de bits. • http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161 http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7 http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7 http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html http://marc.info/?l=bugtraq&m=125787273209737&w=2 •

CVSS: 6.4EPSS: 0%CPEs: 28EXPL: 0

The IBM Stax XMLStreamWriter in the Web Services component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 does not properly process XML encoding, which allows remote attackers to bypass intended access restrictions and possibly modify data via "XML fuzzing attacks" sent through SOAP requests. IBM Stax XMLStreamWriter en el componente Web Services de IBM WebSphere Application Server (WAS) v6.1 anterior a v6.1.0.25 , no procesa adecuadamente codificación XML, esto permite a atacantes remotos evitar las restricciones de acceso pretendidas y puede que modificar datos a través de "ataques difusos XML" enviados a través de solicitudes SOAP. • http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-1.ibm.com/support/docview.wss?uid=swg1PK84015 http://www.securityfocus.com/bid/35741 https://exchange.xforce.ibmcloud.com/vulnerabilities/51490 • CWE-264: Permissions, Privileges, and Access Controls •