Websphere Application Server
by IBM
CVEs (462)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-5986 | Hig | 0.49 | 7.5 | 0.02 | Oct 1, 2016 | IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, 8.5.x before 8.5.5.11, 9.0.x before 9.0.0.2, and Liberty before 16.0.0.3 mishandles responses, which allows remote attackers to obtain sensitive information via unspecified vectors. | ||
| CVE-2016-2945 | Hig | 0.49 | 7.5 | 0.02 | Jul 8, 2016 | The API Discovery implementation in IBM WebSphere Application Server (WAS) 8.5.5.8 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 allows remote authenticated users to gain privileges via an external reference in a Swagger document. | ||
| CVE-2016-2923 | Hig | 0.49 | 7.5 | 0.02 | Jul 7, 2016 | IBM WebSphere Application Server (WAS) 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified JAX-RS API cookie, which makes it easier for remote attackers to obtain potentially sensitive… | ||
| CVE-2000-0497 | Hig | 0.49 | 7.5 | 0.03 | Jun 8, 2000 | IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case. | ||
| CVE-2018-1695 | Hig | 0.48 | 7.3 | 0.02 | Sep 6, 2018 | IBM WebSphere Application Server 7.0, 8.0, and 8.5.5 installations using Form Login could allow a remote attacker to conduct spoofing attacks. IBM X-Force ID: 145769. | ||
| CVE-2017-1382 | Hig | 0.46 | 7.1 | 0.00 | Jul 24, 2017 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 might create files using the default permissions instead of the customized permissions when custom startup scripts are used. A local attacker could exploit this to gain access to files with an unknown impact. IBM X-Force… | ||
| CVE-2015-0110 | Med | 0.42 | 6.5 | 0.01 | Sep 15, 2017 | IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and WebSphere Lombardi Edition (aka WLE) 7.2.x allow remote authenticated users to bypass intended access restrictions on internal service types via vectors involving the executeServiceByName URL. | ||
| CVE-2017-1504 | Med | 0.42 | 6.5 | 0.01 | Aug 3, 2017 | IBM WebSphere Application Server version 9.0.0.4 could provide weaker than expected security after using the PasswordUtil command to enable AES password encryption. IBM X-Force ID: 129579. | ||
| CVE-2018-1794 | Med | 0.40 | 6.1 | 0.01 | Oct 3, 2018 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using OAuth ear is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure… | ||
| CVE-2018-1793 | Med | 0.40 | 6.1 | 0.01 | Oct 3, 2018 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using SAML ear is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure… | ||
| CVE-2017-1503 | Med | 0.40 | 6.1 | 0.02 | Oct 10, 2017 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the… | ||
| CVE-2016-0359 | Med | 0.40 | 6.1 | 0.01 | Jul 3, 2016 | CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 Full before 8.5.5.10, and 8.5 Liberty before Liberty Fix Pack 16.0.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response… | ||
| CVE-2016-0283 | Med | 0.40 | 6.1 | 0.01 | Mar 19, 2016 | Cross-site scripting (XSS) vulnerability in the OpenID Connect (OIDC) client web application in IBM WebSphere Application Server (WAS) Liberty Profile 8.5.5 before 8.5.5.9 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | ||
| CVE-2018-1683 | Med | 0.39 | 5.9 | 0.02 | Sep 26, 2018 | IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the failure to encrypt ORB communication. IBM X-Force ID: 145455. | ||
| CVE-2018-1719 | Med | 0.39 | 5.9 | 0.02 | Sep 14, 2018 | IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security under certain conditions. This could result in a downgrade of TLS protocol. A remote attacker could exploit this vulnerability to perform man-in-the-middle attacks. IBM X-Force ID: 147292. | ||
| CVE-2018-1755 | Med | 0.39 | 5.9 | 0.03 | Aug 24, 2018 | IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by incorrect transport being used when Liberty is configured to use Java Authentication SPI for Containers (JASPIC). This can happen when the Application Server is… | ||
| CVE-2017-1501 | Med | 0.39 | 5.9 | 0.02 | Aug 18, 2017 | IBM WebSphere Application Server 8.0, 8.5, and 9.0 could provide weaker than expected security after using the Admin Console to update the web services security bindings settings. IBM X-Force ID: 129576. | ||
| CVE-2018-1614 | Med | 0.38 | 5.8 | 0.03 | Jun 26, 2018 | IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using malformed SAML responses from the SAML identity provider could allow a remote attacker to obtain sensitive information. IBM X-Force ID: 144270. | ||
| CVE-2016-0306 | Med | 0.38 | 5.9 | 0.01 | May 17, 2016 | IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.41, 8.0 before 8.0.0.13, and 8.5 before 8.5.5.10, when FIPS 140-2 is enabled, misconfigures TLS, which allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors. | ||
| CVE-2018-1553 | Med | 0.35 | 5.3 | 0.03 | Jun 27, 2018 | IBM WebSphere Application Server Liberty prior to 18.0.0.2 could allow a remote attacker to obtain sensitive information, caused by mishandling of exceptions by the SAML Web SSO feature. IBM X-Force ID: 142890. |
- risk 0.49cvss 7.5epss 0.02
IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, 8.5.x before 8.5.5.11, 9.0.x before 9.0.0.2, and Liberty before 16.0.0.3 mishandles responses, which allows remote attackers to obtain sensitive information via unspecified vectors.
- risk 0.49cvss 7.5epss 0.02
The API Discovery implementation in IBM WebSphere Application Server (WAS) 8.5.5.8 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 allows remote authenticated users to gain privileges via an external reference in a Swagger document.
- risk 0.49cvss 7.5epss 0.02
IBM WebSphere Application Server (WAS) 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified JAX-RS API cookie, which makes it easier for remote attackers to obtain potentially sensitive…
- risk 0.49cvss 7.5epss 0.03
IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.
- risk 0.48cvss 7.3epss 0.02
IBM WebSphere Application Server 7.0, 8.0, and 8.5.5 installations using Form Login could allow a remote attacker to conduct spoofing attacks. IBM X-Force ID: 145769.
- risk 0.46cvss 7.1epss 0.00
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 might create files using the default permissions instead of the customized permissions when custom startup scripts are used. A local attacker could exploit this to gain access to files with an unknown impact. IBM X-Force…
- risk 0.42cvss 6.5epss 0.01
IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and WebSphere Lombardi Edition (aka WLE) 7.2.x allow remote authenticated users to bypass intended access restrictions on internal service types via vectors involving the executeServiceByName URL.
- risk 0.42cvss 6.5epss 0.01
IBM WebSphere Application Server version 9.0.0.4 could provide weaker than expected security after using the PasswordUtil command to enable AES password encryption. IBM X-Force ID: 129579.
- risk 0.40cvss 6.1epss 0.01
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using OAuth ear is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure…
- risk 0.40cvss 6.1epss 0.01
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using SAML ear is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure…
- risk 0.40cvss 6.1epss 0.02
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the…
- risk 0.40cvss 6.1epss 0.01
CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 Full before 8.5.5.10, and 8.5 Liberty before Liberty Fix Pack 16.0.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response…
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the OpenID Connect (OIDC) client web application in IBM WebSphere Application Server (WAS) Liberty Profile 8.5.5 before 8.5.5.9 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
- risk 0.39cvss 5.9epss 0.02
IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the failure to encrypt ORB communication. IBM X-Force ID: 145455.
- risk 0.39cvss 5.9epss 0.02
IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security under certain conditions. This could result in a downgrade of TLS protocol. A remote attacker could exploit this vulnerability to perform man-in-the-middle attacks. IBM X-Force ID: 147292.
- risk 0.39cvss 5.9epss 0.03
IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by incorrect transport being used when Liberty is configured to use Java Authentication SPI for Containers (JASPIC). This can happen when the Application Server is…
- risk 0.39cvss 5.9epss 0.02
IBM WebSphere Application Server 8.0, 8.5, and 9.0 could provide weaker than expected security after using the Admin Console to update the web services security bindings settings. IBM X-Force ID: 129576.
- risk 0.38cvss 5.8epss 0.03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using malformed SAML responses from the SAML identity provider could allow a remote attacker to obtain sensitive information. IBM X-Force ID: 144270.
- risk 0.38cvss 5.9epss 0.01
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.41, 8.0 before 8.0.0.13, and 8.5 before 8.5.5.10, when FIPS 140-2 is enabled, misconfigures TLS, which allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors.
- risk 0.35cvss 5.3epss 0.03
IBM WebSphere Application Server Liberty prior to 18.0.0.2 could allow a remote attacker to obtain sensitive information, caused by mishandling of exceptions by the SAML Web SSO feature. IBM X-Force ID: 142890.
Page 2 of 24