CVSS: 5.5EPSS: 0%CPEs: 59EXPL: 0CVE-2009-0891
https://notcve.org/view.php?id=CVE-2009-0891
The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks. El componente Web Services Security en IBM WebSphere Application Server v7.0 anterior a Fix Pack 1 (v7.0.0.1), v6.1 anterior a Fix Pack 23 (v6.1.0.23),y v6.0.2 anterior Fix Pack 33 (v6.0.2.33) no respeta los valores (1)nonce y (2)timestamp expiration en los vínculos WS-Security tal y como se almacenan en la propiedad com.ibm.wsspi.wssecurity.core, lo que permite a usuarios remotos autenticados dirigir ataques de hijacking de sesión. • http://secunia.com/advisories/34131 http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/search.wss?rs=0&q=PK66676&apar=only https://exchange.xforce.ibmcloud.com/vulnerabilities/49391 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 34EXPL: 0CVE-2009-0508
https://notcve.org/view.php?id=CVE-2009-0508
The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other directories via unknown vectors, related to (a) web-based applications and (b) the administrative console. El componente Servlet Engine/Web Container en IBM WebSphere Application Server (WAS) v5.1.0, v5.1.1.19, v6.0.2 anteriores a v6.0.2.35, v6.1 anteriores a v6.1.0.23, y v7.0 anteriores a v7.0.0.3 permite a atacantes remotos leer ficheros de su elección contenidos en los fichero "war" de (1) el directorio web-inf, (2) el directorio "meta-inf", y otros directorios no especificados mediante vectores desconocidos, relacionados con (a) aplicaciones web y (b) la consola de administración. • http://secunia.com/advisories/34283 http://secunia.com/advisories/34876 http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24022456 http://www-01.ibm.com/support/docview.wss?uid=swg1PK81387 http://www-01.ibm.com/support/docview.wss?uid=swg21380233 http://www-01.ibm.com/support/docview.wss?uid=swg21380376 http://www-01.ibm.com/support/docview.wss? • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0CVE-2009-0504
https://notcve.org/view.php?id=CVE-2009-0504
WSPolicy in the Web Services component in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.1 does not properly recognize the IDAssertion.isUsed binding property, which allows local users to discover a password by reading a SOAP message. WSPolicy en el componente Web Services en IBM WebSphere Application Server (WAS) v7.0.x anterior a v7.0.0.1 no reconoce adecuadamente la propiedad de vínculo IDAssertion.isUsed, lo que permite a usuarios locales descubrir una contraseña leyendo un mensaje SOAP. • http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK73573 https://exchange.xforce.ibmcloud.com/vulnerabilities/48700 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 1.9EPSS: 0%CPEs: 56EXPL: 0CVE-2009-0434
https://notcve.org/view.php?id=CVE-2009-0434
PerfServlet in the PMI/Performance Tools component in IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.31, 6.1.x before 6.1.0.21, and 7.0.x before 7.0.0.1, when Performance Monitoring Infrastructure (PMI) is enabled, allows local users to obtain sensitive information by reading the (1) systemout.log and (2) ffdc files. NOTE: this is probably a duplicate of CVE-2008-5413. PerfServlet en el componente PMI/Performance Tools de IBM WebSphere Application Server (WAS) v6.0.x anterior a v6.0.2.31, v6.1.x anterior a v6.1.0.21 y v7.0.x anterior a v7.0.0.1, cuando está habilitado Performance Monitoring Infrastructure (PMI), permite a usuarios locales obtener información sensible leyendo los ficheros (1) systemout.log y (2) ffdc. NOTA: Puede que esta vulnerabilidad sea la misma que CVE-2008-5413. • http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK63886 http://www-1.ibm.com/support/docview.wss? • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2009-0438
https://notcve.org/view.php?id=CVE-2009-0438
IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 on Windows allows remote attackers to bypass "Authorization checking" and obtain sensitive information from JSP pages via a crafted request. NOTE: this is probably a duplicate of CVE-2008-5412. IBM WebSphere Application Server (WAS) 7 anterior a v7.0.0.1 para Windows; permite a atacantes remotos evitar las "comprobaciones de Autenticación" y obtener información sensible de páginas JSP a través de una solicitud manipulada. NOTA: Puede que esta vulnerabilidad sea la misma que CVE-2008-5412. • http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK75248 http://www.securityfocus.com/bid/33700 https://exchange.xforce.ibmcloud.com/vulnerabilities/48528 • CWE-264: Permissions, Privileges, and Access Controls •