5.5

CVE-2009-0891

The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IbmWebsphere Application Server Version6.0.2 Editionfp17
IbmWebsphere Application Server Version6.0.2.1
IbmWebsphere Application Server Version6.0.2.2
IbmWebsphere Application Server Version6.0.2.3
IbmWebsphere Application Server Version6.0.2.4
IbmWebsphere Application Server Version6.0.2.5
IbmWebsphere Application Server Version6.0.2.6
IbmWebsphere Application Server Version6.0.2.7
IbmWebsphere Application Server Version6.0.2.8
IbmWebsphere Application Server Version6.0.2.9
IbmWebsphere Application Server Version6.0.2.10
IbmWebsphere Application Server Version6.0.2.11
IbmWebsphere Application Server Version6.0.2.12
IbmWebsphere Application Server Version6.0.2.13
IbmWebsphere Application Server Version6.0.2.14
IbmWebsphere Application Server Version6.0.2.15
IbmWebsphere Application Server Version6.0.2.16
IbmWebsphere Application Server Version6.0.2.17
IbmWebsphere Application Server Version6.0.2.18
IbmWebsphere Application Server Version6.0.2.19
IbmWebsphere Application Server Version6.0.2.20
IbmWebsphere Application Server Version6.0.2.21
IbmWebsphere Application Server Version6.0.2.22
IbmWebsphere Application Server Version6.0.2.23
IbmWebsphere Application Server Version6.0.2.24
IbmWebsphere Application Server Version6.0.2.25
IbmWebsphere Application Server Version6.0.2.27
IbmWebsphere Application Server Version6.0.2.28
IbmWebsphere Application Server Version6.0.2.29
IbmWebsphere Application Server Version6.0.2.30
IbmWebsphere Application Server Version6.0.2.31
IbmWebsphere Application Server Version6.0.2.32
IbmWebsphere Application Server Version6.1.0.0
IbmWebsphere Application Server Version6.1.0.1
IbmWebsphere Application Server Version6.1.0.2
IbmWebsphere Application Server Version6.1.0.3
IbmWebsphere Application Server Version6.1.0.4
IbmWebsphere Application Server Version6.1.0.5
IbmWebsphere Application Server Version6.1.0.6
IbmWebsphere Application Server Version6.1.0.7
IbmWebsphere Application Server Version6.1.0.8
IbmWebsphere Application Server Version6.1.0.9
IbmWebsphere Application Server Version6.1.0.10
IbmWebsphere Application Server Version6.1.0.11
IbmWebsphere Application Server Version6.1.0.12
IbmWebsphere Application Server Version6.1.0.13
IbmWebsphere Application Server Version6.1.0.14
IbmWebsphere Application Server Version6.1.0.15
IbmWebsphere Application Server Version6.1.0.16
IbmWebsphere Application Server Version6.1.0.17
IbmWebsphere Application Server Version6.1.0.18
IbmWebsphere Application Server Version6.1.0.19
IbmWebsphere Application Server Version6.1.0.20
IbmWebsphere Application Server Version6.1.0.21
IbmWebsphere Application Server Version6.1.0.22
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.76% 0.751
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 8 4.9
AV:N/AC:L/Au:S/C:P/I:P/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

http://www-01.ibm.com/support/docview.wss?uid=swg27007951
Patch
http://www-01.ibm.com/support/docview.wss?uid=swg27006876
Patch
http://www-01.ibm.com/support/docview.wss?uid=swg27014463
Patch
http://secunia.com/advisories/34131
http://www-1.ibm.com/support/search.wss?rs=0&q=PK66676&apar=only
https://exchange.xforce.ibmcloud.com/vulnerabilities/49391