VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Oct 22, 2016· Updated May 6, 2026

CVE-2016-0377

CVE-2016-0377

Description

IBM WebSphere Application Server Administrative Console mishandles CSRFtoken cookies, allowing authenticated remote attackers to obtain sensitive information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM WebSphere Application Server Administrative Console mishandles CSRFtoken cookies, allowing authenticated remote attackers to obtain sensitive information.

Vulnerability

The Administrative Console in IBM WebSphere Application Server (WAS) versions 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, and 8.5.x before 8.5.5.10 mishandles CSRFtoken cookies, leading to an information disclosure vulnerability [1]. The improper cookie setting allows sensitive data to be exposed under certain conditions.

Exploitation

An attacker must have remote network access and valid user authentication to the Administrative Console. The exact exploitation steps are unspecified in the available references, but the vulnerability is triggered via unspecified vectors that leverage the mishandled CSRFtoken cookie [1].

Impact

Successful exploitation results in the disclosure of sensitive information. According to the CVSS v3 vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), the impact is limited to low confidentiality, with no integrity or availability impact [1]. The attacker gains access to information they are not authorized to view.

Mitigation

IBM has released fixes for all affected versions. For WAS 7.0.0.0 through 7.0.0.41, upgrade to 7.0.0.43 or later, or apply Interim Fix PI56917. For 8.0.0.0 through 8.0.0.12, upgrade to 8.0.0.13 or later, or apply Interim Fix PI56917. For 8.5.0.0 through 8.5.5.9, upgrade to 8.5.5.10 or later, or apply Interim Fix PI56917 [1]. No workarounds are documented.

References
  1. Security Bulletin: Information Disclosure in IBM WebSphere Application Server in the Admin Console (CVE-2016-0377)

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

67
  • IBM/Websphere Application Server67 versions
    cpe:2.3:a:ibm:websphere_application_server:7.0.0.0:*:*:*:*:*:*:*+ 66 more
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.21:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.22:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.23:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.24:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.25:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.27:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.28:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.29:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.31:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.32:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.33:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.34:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.35:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.36:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.37:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.38:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.39:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.40:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.41:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.42:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:7.0.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.0.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.9:*:*:*:*:*:*:*
    • (no CPE)range: 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, 8.5.x before 8.5.5.10

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.