CVE-2009-0899
https://notcve.org/view.php?id=CVE-2009-0899
IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.24 and 7.0 through 7.0.0.4, IBM WebSphere Portal Server 5.1 through 6.0, and IBM Integrated Solutions Console (ISC) 6.0.1 do not properly set the IsSecurityEnabled security flag during migration of WebSphere Member Manager (WMM) to Virtual Member Manager (VMM) and a Federated Repository, which allows attackers to obtain sensitive information from repositories via unspecified vectors. IBM WebSphere Application Server (WAS) v6.1 a la v6.1.0.24 y v7.0 a la v7.0.0.4, IBM WebSphere Portal Server v5.1 a la v6.0, e IBM Integrated Solutions Console (ISC) v6.0.1, no establecen adecuadamente la opción de seguridad IsSecurityEnabled durante la migración de WebSphere Member Manager (WMM) a Virtual Member Manager (VMM) y a Federated Repository, lo que permite a atacantes obtener información sensible de los repositorios a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg21375859 http://www-1.ibm.com/support/docview.wss?uid=swg1PK78134 http://www.securityfocus.com/bid/35406 https://exchange.xforce.ibmcloud.com/vulnerabilities/50882 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-1172
https://notcve.org/view.php?id=CVE-2009-1172
The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3, when APAR PK41002 is installed, does not properly validate UsernameToken objects, which has unknown impact and attack vectors. El JAX-RPC Runtime WS-Security en el componente Web Services Security en IBM WebSphere Application Server (WAS) v6.1 versiones anteriores a v6.1.0.23 y v7.0 versiones anteriores a v7.0.0.3, cuando APAR PK41002 está instalado, no valida apropiadamente objetos UsernameToken, lo cual tiene un impacto y vectores de ataque desconocidos. • http://secunia.com/advisories/34131 http://secunia.com/advisories/34461 http://www-01.ibm.com/support/docview.wss?uid=swg1PK75992 http://www-01.ibm.com/support/docview.wss?uid=swg21367223 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www.securityfocus.com/bid/34502 • CWE-20: Improper Input Validation •
CVE-2009-0892
https://notcve.org/view.php?id=CVE-2009-0892
The administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3 allows attackers to hijack user sessions in "specific scenarios" related to a forced logout. La consola de administración en IBM WebSphere Application Server (WAS) v6.1 versiones anteriores a v6.1.0.23 y v7.0 versiones anteriores a v7.0.0.3 permite a atacantes secuestrar sesiones de usuarios en "escenarios específicos" relacionados con cierres de sesión forzadas. • http://secunia.com/advisories/34131 http://www-01.ibm.com/support/docview.wss?uid=swg1PK74966 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www.securityfocus.com/bid/34501 https://exchange.xforce.ibmcloud.com/vulnerabilities/49499 • CWE-287: Improper Authentication •
CVE-2009-0891
https://notcve.org/view.php?id=CVE-2009-0891
The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks. El componente Web Services Security en IBM WebSphere Application Server v7.0 anterior a Fix Pack 1 (v7.0.0.1), v6.1 anterior a Fix Pack 23 (v6.1.0.23),y v6.0.2 anterior Fix Pack 33 (v6.0.2.33) no respeta los valores (1)nonce y (2)timestamp expiration en los vínculos WS-Security tal y como se almacenan en la propiedad com.ibm.wsspi.wssecurity.core, lo que permite a usuarios remotos autenticados dirigir ataques de hijacking de sesión. • http://secunia.com/advisories/34131 http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/search.wss?rs=0&q=PK66676&apar=only https://exchange.xforce.ibmcloud.com/vulnerabilities/49391 • CWE-287: Improper Authentication •
CVE-2009-0508
https://notcve.org/view.php?id=CVE-2009-0508
The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-based applications and (b) the administrative console. El componente Servlet Engine/Web Container en IBM WebSphere Application Server (WAS) v5.1.0, v5.1.1.19, v6.0.2 anteriores a v6.0.2.35, v6.1 anteriores a v6.1.0.23, y v7.0 anteriores a v7.0.0.3 permite a atacantes remotos leer ficheros de su elección contenidos en los fichero "war" de (1) el directorio web-inf, (2) el directorio "meta-inf", y otros directorios no especificados mediante vectores desconocidos, relacionados con (a) aplicaciones web y (b) la consola de administración. • http://secunia.com/advisories/34283 http://secunia.com/advisories/34876 http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24022456 http://www-01.ibm.com/support/docview.wss?uid=swg1PK81387 http://www-01.ibm.com/support/docview.wss?uid=swg21380233 http://www-01.ibm.com/support/docview.wss?uid=swg21380376 http://www-01.ibm.com/support/docview.wss? • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •