CVE-2009-3106
https://notcve.org/view.php?id=CVE-2009-3106
The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.37 does not properly implement security constraints on the (1) doGet and (2) doTrace methods, which allows remote attackers to bypass intended access restrictions and obtain sensitive information via a crafted HTTP HEAD request to a Web Application. El componente Servlet Engine/Web Container en IBM WebSphere Application Server (WAS) v6.0.2 anterior a v6.0.2.37, no implementa adecuadamente las restricciones de seguridad sobre los métodos (1) doGet y (2) doTrace, lo que permite a atacantes remotos evitar las restricciones de acceso intencionadas y obtener información sensible a través de una petición de cabecera (HEAD) HTTP a la Aplicación Web. • http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-1.ibm.com/support/docview.wss?uid=swg1PK83258 https://exchange.xforce.ibmcloud.com/vulnerabilities/53051 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-2090
https://notcve.org/view.php?id=CVE-2009-2090
Unspecified vulnerability in wsadmin in the System Management/Repository component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 allows remote attackers to bypass intended Java Management Extensions (JMX) Management Beans (aka MBeans) access restrictions, and cause a denial of service (daemon stop), via unknown vectors. Vulnerabilidad no especificada en wsadmin en el componente System Management/Repository en IBM WebSphere Application Server (WAS) v7.0 anteriores a v7.0.0.5, permite a los atacantes remotos evitar las restricciones de acceso previstas para Java Management Extensions (JMX) Management Beans (aka MBeans), y causar una denegación de servicios (parada del demonio), a través de vectores desconocidos. • http://secunia.com/advisories/34461 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK86328 http://www.securityfocus.com/bid/36153 https://exchange.xforce.ibmcloud.com/vulnerabilities/52082 •
CVE-2009-2092
https://notcve.org/view.php?id=CVE-2009-2092
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 does not properly read the portletServingEnabled parameter in ibm-portlet-ext.xmi, which allows remote attackers to bypass intended access restrictions via unknown vectors. IBM WebSphere Application Server (WAS) v7.0 anteriores a v7.0.0.5 no lee apropiadamente el parámetro portletServingEnabled en ibm-portlet-ext.xmi, lo que permite a los atacantes remotos evitar las restricciones de acceso previstas a través de vectores desconocidos. • http://secunia.com/advisories/34461 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK89385 http://www.securityfocus.com/bid/36155 https://exchange.xforce.ibmcloud.com/vulnerabilities/52375 • CWE-284: Improper Access Control •
CVE-2009-2085
https://notcve.org/view.php?id=CVE-2009-2085
The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB). El componente Security en IBM WebSphere Application Server (WAS) v6.1 anterior a v6.1.0.25 y v7.0 anterior a v7.0.0.5 no maneja adecuadamente la Aserción de Identidad (Identity Assertion) con CSIv2 Security, lo que permite a atacantes remotos evitar las restricciones de acceso establecidas con CSIv2 a través de vectores que involucran la "Enterprise JavaBeans" (EJB). • http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK83097 https://exchange.xforce.ibmcloud.com/vulnerabilities/52076 • CWE-287: Improper Authentication •
CVE-2009-2091
https://notcve.org/view.php?id=CVE-2009-2091
The System Management/Repository component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 on z/OS uses weak file permissions for new applications, which allows remote attackers to obtain sensitive information via unspecified vectors. El componente System Management/Repository en IBM WebSphere Application Server (WAS) v7.0 anteriores a v7.0.0.5 en z/OS utiliza permisos de ficheros débiles para nuevas aplicaciones, lo que permite a los atacantes remotos obtener información sensible a través de vectores no especificados. • http://secunia.com/advisories/34461 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK83308 http://www.securityfocus.com/bid/36157 https://exchange.xforce.ibmcloud.com/vulnerabilities/52083 • CWE-264: Permissions, Privileges, and Access Controls •