CVE-2009-0904
https://notcve.org/view.php?id=CVE-2009-0904
The IBM Stax XMLStreamWriter in the Web Services component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 does not properly process XML encoding, which allows remote attackers to bypass intended access restrictions and possibly modify data via "XML fuzzing attacks" sent through SOAP requests. IBM Stax XMLStreamWriter en el componente Web Services de IBM WebSphere Application Server (WAS) v6.1 anterior a v6.1.0.25 , no procesa adecuadamente codificación XML, esto permite a atacantes remotos evitar las restricciones de acceso pretendidas y puede que modificar datos a través de "ataques difusos XML" enviados a través de solicitudes SOAP. • http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-1.ibm.com/support/docview.wss?uid=swg1PK84015 http://www.securityfocus.com/bid/35741 https://exchange.xforce.ibmcloud.com/vulnerabilities/51490 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-0903
https://notcve.org/view.php?id=CVE-2009-0903
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for WAS 6.1 before 6.1.0.25, when a WS-Security policy is established at the operation level, does not properly handle inbound requests that lack a SOAPAction or WS-Addressing Action, which allows remote attackers to bypass intended access restrictions via a crafted request to a JAX-WS application. IBM WebSphere Application Server (WAS) v7.0 anterior a v7.0.0.3, y el Pack de características para Web Services para WAS v6.1 anterior a v6.1.0.25, cuando una política WS-Security está establecida en el nivel de operación, no maneja adecuadamente peticiones de entrada que carecen de una acción SOAPAction o WS-Addressing, lo que permite a atacantes remotos saltar las restricciones de acceso previstas a través de una petición manipulada para una aplicación JAX-WS. • http://www-1.ibm.com/support/docview.wss?uid=swg1PK72138 http://www-1.ibm.com/support/docview.wss?uid=swg1PK81944 http://www-1.ibm.com/support/docview.wss?uid=swg1PK87767 http://www.securityfocus.com/bid/35594 https://exchange.xforce.ibmcloud.com/vulnerabilities/51293 •
CVE-2009-0899
https://notcve.org/view.php?id=CVE-2009-0899
IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.24 and 7.0 through 7.0.0.4, IBM WebSphere Portal Server 5.1 through 6.0, and IBM Integrated Solutions Console (ISC) 6.0.1 do not properly set the IsSecurityEnabled security flag during migration of WebSphere Member Manager (WMM) to Virtual Member Manager (VMM) and a Federated Repository, which allows attackers to obtain sensitive information from repositories via unspecified vectors. IBM WebSphere Application Server (WAS) v6.1 a la v6.1.0.24 y v7.0 a la v7.0.0.4, IBM WebSphere Portal Server v5.1 a la v6.0, e IBM Integrated Solutions Console (ISC) v6.0.1, no establecen adecuadamente la opción de seguridad IsSecurityEnabled durante la migración de WebSphere Member Manager (WMM) a Virtual Member Manager (VMM) y a Federated Repository, lo que permite a atacantes obtener información sensible de los repositorios a través de vectores no especificados. • http://www-01.ibm.com/support/docview.wss?uid=swg21375859 http://www-1.ibm.com/support/docview.wss?uid=swg1PK78134 http://www.securityfocus.com/bid/35406 https://exchange.xforce.ibmcloud.com/vulnerabilities/50882 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2009-1900
https://notcve.org/view.php?id=CVE-2009-1900
The Configservice APIs in the Administrative Console component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5, when tracing is enabled, allow remote attackers to obtain sensitive information via unspecified use of the wsadmin scripting tool. El Configservice APIs en el Administrative Console component en IBM WebSphere Application Server (WAS) v6.0.2 anterior a v6.0.2.35, permite a atacantes obtener información sensible a través de vectores no especificados. • http://secunia.com/advisories/35301 http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK84999 http://www.securityfocus.com/bid/35405 http://www.vupen.com/english/advisories/2009/1464 https://exchange.xforce.ibmcloud.com/vulnerabilities/51171 https://exchange.xforce.ibmcloud.com/vulnerabilities/52077 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-1899
https://notcve.org/view.php?id=CVE-2009-1899
Unspecified vulnerability in the Administrative Configservice API in the System Management/Repository component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.25, and 7.0 before 7.0.0.5 on z/OS allows remote authenticated users to obtain sensitive information via unknown use of the wsadmin scripting tool, related to a "security exposure in wsadmin." Vulnerabilidad sin especificar en el componente Management/Repository en IBM WebSphere Application Server (WAS) v6.0.2 anterior a 6.0.2.35 tiene un impacto y vectores de ataque desconocidos. Relacionado con "exposición de seguridad en wsadmin". • http://secunia.com/advisories/35301 http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-1.ibm.com/support/docview.wss?uid=swg1PK77495 http://www.securityfocus.com/bid/35405 http://www.vupen.com/english/advisories/2009/1464 https://exchange.xforce.ibmcloud.com/vulnerabilities/51172 https://exchange.xforce.ibmcloud.com/vulnerabilities/52075 •