CVE-2009-1898
https://notcve.org/view.php?id=CVE-2009-1898
The secure login page in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 does not redirect to an https page upon receiving an http request, which makes it easier for remote attackers to read the contents of WAS sessions by sniffing the network. la página de "secure login" en el componente Administrative console en IBM WebSphere Application Server (WAS)v6.0.2 anterior a v6.0.2.35 no redirecciona a una página https hasta que recibe una petición http, lo que facilita a atacantes remotos la lectura de los contenidos de las sesiones WAS capturando paquetes de la red. • http://secunia.com/advisories/35301 http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-1.ibm.com/support/docview.wss?uid=swg1PK77010 http://www.securityfocus.com/bid/35405 http://www.vupen.com/english/advisories/2009/1464 https://exchange.xforce.ibmcloud.com/vulnerabilities/51170 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-1172
https://notcve.org/view.php?id=CVE-2009-1172
The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3, when APAR PK41002 is installed, does not properly validate UsernameToken objects, which has unknown impact and attack vectors. El JAX-RPC Runtime WS-Security en el componente Web Services Security en IBM WebSphere Application Server (WAS) v6.1 versiones anteriores a v6.1.0.23 y v7.0 versiones anteriores a v7.0.0.3, cuando APAR PK41002 está instalado, no valida apropiadamente objetos UsernameToken, lo cual tiene un impacto y vectores de ataque desconocidos. • http://secunia.com/advisories/34131 http://secunia.com/advisories/34461 http://www-01.ibm.com/support/docview.wss?uid=swg1PK75992 http://www-01.ibm.com/support/docview.wss?uid=swg21367223 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www.securityfocus.com/bid/34502 • CWE-20: Improper Input Validation •
CVE-2009-1174
https://notcve.org/view.php?id=CVE-2009-1174
The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 and 7.0 before 7.0.0.3 has an unspecified "security problem" in the XML digital-signature specification, which has unknown impact and attack vectors. El componente Web Services Security en IBM WebSphere Application Server (WAS) v7.0 versiones anteriores a v7.0.0.3 tiene un "problema de seguridad" no especificado en la especificación firma-digital XML, lo cual tiene un impacto y vectores de ataque desconocidos. • http://secunia.com/advisories/34131 http://secunia.com/advisories/34461 http://secunia.com/advisories/35301 http://www-01.ibm.com/support/docview.wss?uid=swg1PK80596 http://www-01.ibm.com/support/docview.wss?uid=swg21384925 http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www.securityfocus.com/bid/34506 http://www.vupen.com/english/advisories/2009/1464 • CWE-310: Cryptographic Issues •
CVE-2009-1173
https://notcve.org/view.php?id=CVE-2009-1173
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 uses weak permissions (777) for files associated with unspecified "interim fixes," which allows attackers to modify files that would not have been accessible if the intended 755 permissions were used. IBM WebSphere Application Server (WAS) v7.0 anterior a v7.0.0.3 utiliza permisos débiles (777) para ficheros asociados con "correcciones parciales" sin especificar, lo que permite a atacantes modificar ficheros que podría no haber estado accesible si los fueran utilizados los permisos 755. • http://secunia.com/advisories/34131 http://secunia.com/advisories/34461 http://www-01.ibm.com/support/docview.wss?uid=swg1PK77590 http://www-01.ibm.com/support/docview.wss?uid=swg1PK82988 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www.securityfocus.com/bid/34259 http://www.vupen.com/english/advisories/2009/0854 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-0892
https://notcve.org/view.php?id=CVE-2009-0892
The administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3 allows attackers to hijack user sessions in "specific scenarios" related to a forced logout. La consola de administración en IBM WebSphere Application Server (WAS) v6.1 versiones anteriores a v6.1.0.23 y v7.0 versiones anteriores a v7.0.0.3 permite a atacantes secuestrar sesiones de usuarios en "escenarios específicos" relacionados con cierres de sesión forzadas. • http://secunia.com/advisories/34131 http://www-01.ibm.com/support/docview.wss?uid=swg1PK74966 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www.securityfocus.com/bid/34501 https://exchange.xforce.ibmcloud.com/vulnerabilities/49499 • CWE-287: Improper Authentication •