Published: 25/03/2009 Updated: 17/08/2017

CVSS v2 Base Score: 5.5 | Impact Score: 4.9 | Exploitability Score: 8

VMScore: 490

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N

The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks.

Vulnerable Product	Search on Vulmon	Subscribe to Product
ibm websphere application server 6.1.0.10
ibm websphere application server 6.1.0.11
ibm websphere application server 6.1.0.18
ibm websphere application server 6.1.0.19
ibm websphere application server 6.1.0.2
ibm websphere application server 6.1.0.6
ibm websphere application server 6.1.0.7
ibm websphere application server 6.0.2.12
ibm websphere application server 6.0.2.13
ibm websphere application server 6.0.2.20
ibm websphere application server 6.0.2.21
ibm websphere application server 6.0.2.29
ibm websphere application server 6.0.2.3
ibm websphere application server 6.0.2.7
ibm websphere application server 6.0.2.8
ibm websphere application server 6.1
ibm websphere application server 6.1.0
ibm websphere application server 6.1.0.14
ibm websphere application server 6.1.0.15
ibm websphere application server 6.1.0.22
ibm websphere application server 6.1.0.3
ibm websphere application server 6.0.2
ibm websphere application server 6.0.2.1
ibm websphere application server 6.0.2.16
ibm websphere application server 6.0.2.17
ibm websphere application server 6.0.2.24
ibm websphere application server 6.0.2.25
ibm websphere application server 6.0.2.32
ibm websphere application server 6.0.2.4
ibm websphere application server 6.1.0.0
ibm websphere application server 6.1.0.1
ibm websphere application server 6.1.0.16
ibm websphere application server 6.1.0.17
ibm websphere application server 6.1.0.4
ibm websphere application server 6.1.0.5
ibm websphere application server 6.0.2.10
ibm websphere application server 6.0.2.11
ibm websphere application server 6.0.2.18
ibm websphere application server 6.0.2.19
ibm websphere application server 6.0.2.2
ibm websphere application server 6.0.2.27
ibm websphere application server 6.0.2.28
ibm websphere application server 6.0.2.5
ibm websphere application server 6.0.2.6
ibm websphere application server 7.0
ibm websphere application server 6.1.0.12
ibm websphere application server 6.1.0.13
ibm websphere application server 6.1.0.20
ibm websphere application server 6.1.0.21
ibm websphere application server 6.1.0.8
ibm websphere application server 6.1.0.9
ibm websphere application server 6.0.2.14
ibm websphere application server 6.0.2.15
ibm websphere application server 6.0.2.22
ibm websphere application server 6.0.2.23
ibm websphere application server 6.0.2.30
ibm websphere application server 6.0.2.31
ibm websphere application server 6.0.2.9

CWE-287 http://www-1.ibm.com/support/search.wss?rs=0&q=PK66676&apar=only http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 http://www-01.ibm.com/support/docview.wss?uid=swg27006876 http://secunia.com/advisories/34131 https://exchange.xforce.ibmcloud.com/vulnerabilities/49391 https://nvd.nist.gov

Get Started

CVE-2009-0891

Vulnerability Summary

References

Vulmon Search

About

Products

Connect