Websphere Application Server Security Vulnerabilities and Issues — Websphere Application Server CVE List

Lucene search

IbmWebsphere Application Server

66 matches found

CVE•added 2023/04/29 3:15 p.m.•215 views

CVE-2023-30441

IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID: 253188.

7.5CVSS7.4AI score0.00035EPSS

CVE•added 2014/05/16 11:12 a.m.•167 views

CVE-2014-0964

IBM WebSphere Application Server (WAS) 6.1.0.0 through 6.1.0.47 and 6.0.2.0 through 6.0.2.43 allows remote attackers to cause a denial of service via crafted TLS traffic, as demonstrated by traffic from a CVE-2014-0160 vulnerability-assessment tool.

7.1CVSS7.6AI score0.94462EPSS

CVE•added 2020/06/05 5:15 p.m.•145 views

CVE-2020-4449

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181230.

7.5CVSS7.1AI score0.00778EPSS

CVE•added 2020/02/03 5:15 p.m.•120 views

CVE-2019-4732

IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a ...

7.2CVSS6.3AI score0.00164EPSS

CVE•added 2024/03/31 12:15 p.m.•111 views

CVE-2024-22353

IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 280400.

7.5CVSS6.5AI score0.00019EPSS

CVE•added 2024/04/17 1:15 a.m.•111 views

CVE-2024-22354

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memo...

7CVSS6.9AI score0.00014EPSS

CVE•added 2024/07/09 10:15 p.m.•101 views

CVE-2024-35154

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative console, to execute arbitrary code. Using specially crafted input, the attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-F...

7.2CVSS7.2AI score0.00405EPSS

CVE•added 2024/04/04 6:15 p.m.•97 views

CVE-2024-27268

IBM WebSphere Application Server Liberty 18.0.0.2 through 24.0.0.4 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 284574.

7.5CVSS5.9AI score0.00171EPSS

CVE•added 2021/12/09 5:15 p.m.•92 views

CVE-2021-38951

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available CPU resources. IBM X-Force ID: 211405.

7.5CVSS7.3AI score0.00086EPSS

CVE•added 2024/04/25 1:15 p.m.•88 views

CVE-2024-25026

IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 are vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. ...

7.5CVSS6.3AI score0.00019EPSS

CVE•added 2020/01/31 4:15 p.m.•85 views

CVE-2019-4720

7.5CVSS7.4AI score0.00153EPSS

CVE•added 2020/03/26 2:15 p.m.•85 views

CVE-2020-4276

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984.

7.5CVSS7.6AI score0.0054EPSS

CVE•added 2017/01/06 10:59 p.m.•83 views

CVE-2016-9879

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypas...

7.5CVSS7.3AI score0.00322EPSS

CVE•added 2021/02/18 3:15 p.m.•81 views

CVE-2021-20354

IBM WebSphere Application Server 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 194883.

7.8CVSS7.3AI score0.00287EPSS

CVE•added 2024/08/14 6:15 p.m.•81 views

CVE-2023-50314

IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274713.

7.5CVSS5AI score0.00068EPSS

CVE•added 2017/02/01 10:59 p.m.•78 views

CVE-2016-8919

IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources.

7.8CVSS7.3AI score0.00859EPSS

CVE•added 2017/07/24 9:29 p.m.•77 views

CVE-2017-1382

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 might create files using the default permissions instead of the customized permissions when custom startup scripts are used. A local attacker could exploit this to gain access to files with an unknown impact. IBM X-Force ID: 127153.

7.1CVSS6.9AI score0.00039EPSS

CVE•added 2019/03/25 7:29 p.m.•77 views

CVE-2019-4046

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability to cause the consumption of Memory. IBM X-Force ID: 156242.

7.5CVSS7.4AI score0.01177EPSS

CVE•added 2016/10/05 10:59 a.m.•75 views

CVE-2016-5983

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2, and Liberty before 16.0.0.4 allows remote authenticated users to execute arbitrary Java code via a crafted serialized object.

7.5CVSS7.6AI score0.13762EPSS

CVE•added 2023/08/16 7:15 p.m.•74 views

CVE-2023-38737

IBM WebSphere Application Server Liberty 22.0.0.13 through 23.0.0.7 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 262567.

7.5CVSS6.4AI score0.00024EPSS

CVE•added 2020/02/04 5:15 p.m.•67 views

CVE-2020-4163

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under specialized conditions, could allow an authenticated user to create a maliciously crafted file name which would be misinterpreted as jsp content and executed. IBM X-Force ID: 174397.

7.2CVSS6.7AI score0.00418EPSS

CVE•added 2002/06/25 4:0 a.m.•66 views

CVE-2001-0962

IBM WebSphere Application Server 3.02 through 3.53 uses predictable session IDs for cookies, which allows remote attackers to gain privileges of WebSphere users via brute force guessing.

7.5CVSS7.2AI score0.01053EPSS

CVE•added 2014/08/22 1:55 a.m.•65 views

CVE-2014-4764

IBM WebSphere Application Server (WAS) 8.0.x before 8.0.0.10 and 8.5.x before 8.5.5.3, when Load Balancer for IPv4 Dispatcher is enabled, allows remote attackers to cause a denial of service (Load Balancer crash) via unspecified vectors.

7.1CVSS5AI score0.00952EPSS

CVE•added 2019/06/28 5:15 p.m.•64 views

CVE-2019-4269

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console could allow a remote attacker to obtain sensitive information when a specially crafted url causes a stack trace to be dumped. IBM X-Force ID: 160202.

7.5CVSS7.1AI score0.00358EPSS

CVE•added 2009/03/16 7:30 p.m.•63 views

CVE-2009-0508

The Servlet Engine/Web Container and JSP components in IBM WebSphere Application Server (WAS) 5.1.0, 5.1.1.19, 6.0.2 before 6.0.2.35, 6.1 before 6.1.0.23, and 7.0 before 7.0.0.3 allow remote attackers to read arbitrary files contained in war files in (1) web-inf, (2) meta-inf, and unspecified other...

7.5CVSS6.8AI score0.01719EPSS

CVE•added 2016/07/07 2:59 p.m.•61 views

CVE-2016-2923

IBM WebSphere Application Server (WAS) 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified JAX-RS API cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script acces...

7.5CVSS7.1AI score0.00278EPSS

CVE•added 2016/10/01 1:59 a.m.•61 views

CVE-2016-5986

IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, 8.5.x before 8.5.5.11, 9.0.x before 9.0.0.2, and Liberty before 16.0.0.3 mishandles responses, which allows remote attackers to obtain sensitive information via unspecified vectors.

7.5CVSS7.2AI score0.00445EPSS

CVE•added 2020/09/21 5:15 p.m.•61 views

CVE-2020-4643

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Force ID: 185590.

7.5CVSS7.5AI score0.00335EPSS

CVE•added 2018/05/24 9:29 p.m.•60 views

CVE-2013-3024

IBM WebSphere Application Server (WAS) 8.5 through 8.5.0.2 on UNIX allows local users to gain privileges by leveraging improper process initialization. IBM X-Force ID: 84362.

7.8CVSS7.6AI score0.00038EPSS

CVE•added 2023/01/26 9:17 p.m.•57 views

CVE-2022-43917

IBM WebSphere Application Server 8.5 and 9.0 traditional container uses weaker than expected cryptographic keys that could allow an attacker to decrypt sensitive information. This affects only the containerized version of WebSphere Application Server traditional. IBM X-Force ID: 241045.

7.5CVSS6.4AI score0.00033EPSS

CVE•added 2020/10/01 4:15 p.m.•56 views

CVE-2020-4576

IBM WebSphere Application Server 7.5, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 184428.

7.5CVSS7.1AI score0.00442EPSS

CVE•added 2012/11/14 12:30 p.m.•55 views

CVE-2012-4850

IBM WebSphere Application Server 8.5 Liberty Profile before 8.5.0.1, when JAX-RS is used, does not properly validate requests, which allows remote attackers to gain privileges via unspecified vectors.

7.5CVSS9.3AI score0.00792EPSS

CVE•added 2018/06/26 8:29 p.m.•55 views

CVE-2018-1614

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using malformed SAML responses from the SAML identity provider could allow a remote attacker to obtain sensitive information. IBM X-Force ID: 144270.

7.5CVSS7.2AI score0.00586EPSS

CVE•added 2001/12/06 5:0 a.m.•52 views

CVE-2001-0824

Cross-site scripting vulnerability in IBM WebSphere 3.02 and 3.5 FP2 allows remote attackers to execute Javascript by inserting the Javascript into (1) a request for a .JSP file, or (2) a request to the webapp/examples/ directory, which inserts the Javascript into an error page.

7.5CVSS6.5AI score0.00843EPSS

CVE•added 2016/07/08 1:59 a.m.•51 views

CVE-2016-2945

The API Discovery implementation in IBM WebSphere Application Server (WAS) 8.5.5.8 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 allows remote authenticated users to gain privileges via an external reference in a Swagger document.

7.5CVSS7.4AI score0.00633EPSS

CVE•added 2009/08/13 6:30 p.m.•50 views

CVE-2009-2092

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 does not properly read the portletServingEnabled parameter in ibm-portlet-ext.xmi, which allows remote attackers to bypass intended access restrictions via unknown vectors.

7.5CVSS6.6AI score0.00304EPSS

CVE•added 2007/04/11 1:19 a.m.•49 views

CVE-2007-1945

Unspecified vulnerability in the Servlet Engine/Web Container in IBM WebSphere Application Server (WAS) before 6.1.0.7 has unknown impact and attack vectors.

7.5CVSS6.4AI score0.0067EPSS

CVE•added 2018/09/26 3:29 p.m.•49 views

CVE-2018-1683

IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the failure to encrypt ORB communication. IBM X-Force ID: 145455.

7.5CVSS7.2AI score0.00195EPSS

CVE•added 2018/09/06 2:29 p.m.•49 views

CVE-2018-1695

IBM WebSphere Application Server 7.0, 8.0, and 8.5.5 installations using Form Login could allow a remote attacker to conduct spoofing attacks. IBM X-Force ID: 145769.

7.3CVSS5.5AI score0.00493EPSS

CVE•added 2008/10/22 6:0 p.m.•48 views

CVE-2008-4678

The HTTP_Request_Parser method in the HTTP Transport component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 allows remote attackers to cause a denial of service (controller 0C4 abend and application hang) via a long HTTP Host header, related to "storage overlay" on the stack and ...

7.8CVSS6.4AI score0.01639EPSS

CVE•added 2009/08/13 6:30 p.m.•48 views

CVE-2009-2085

The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (...

7.5CVSS6.5AI score0.00321EPSS

CVE•added 2018/11/26 5:0 p.m.•48 views

CVE-2018-1905

IBM WebSphere Application Server 9.0.0.0 through 9.0.0.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 152534.

7.1CVSS6.9AI score0.00483EPSS

CVE•added 2009/09/21 7:30 p.m.•47 views

CVE-2009-2744

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 allows remote attackers to cause a denial of service via unknown vectors, related to "an error in fixpacks 6.1.0.23 and 6.1.0.25."

7.8CVSS6.5AI score0.00836EPSS

CVE•added 2000/10/13 4:0 a.m.•46 views

CVE-2000-0497

IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.

7.5CVSS6.9AI score0.00729EPSS

CVE•added 2005/06/07 4:0 a.m.•42 views

CVE-2005-1872

Buffer overflow in the administrative console in IBM WebSphere Application Server 5.x, when the global security option is enabled, allows remote attackers to execute arbitrary code.

7.5CVSS7.6AI score0.05181EPSS

CVE•added 2018/06/27 6:29 p.m.•42 views

CVE-2018-1553

IBM WebSphere Application Server Liberty prior to 18.0.0.2 could allow a remote attacker to obtain sensitive information, caused by mishandling of exceptions by the SAML Web SSO feature. IBM X-Force ID: 142890.

7.5CVSS7.2AI score0.0026EPSS

CVE•added 2006/05/12 5:6 p.m.•41 views

CVE-2006-2342

IBM WebSphere Application Server 6.0.2 before FixPack 3 allows remote attackers to bypass authentication for the Welcome Page via a request to the default context root.

7.5CVSS6.8AI score0.01246EPSS

CVE•added 2006/10/17 5:7 p.m.•41 views

CVE-2006-5324

The Web Services Notification (WSN) security component of IBM WebSphere Application Server before 6.1.0.2 allows attackers to obtain unspecified access without supplying a username and password, aka PK28374.

7.5CVSS6.7AI score0.00484EPSS

CVE•added 2010/03/29 8:30 p.m.•41 views

CVE-2010-1182

Multiple unspecified vulnerabilities in the administrative console in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.9 on z/OS have unknown impact and attack vectors.

7.5CVSS6.5AI score0.00396EPSS

CVE•added 2011/03/08 9:59 p.m.•41 views

CVE-2011-1309

The Plug-in component in IBM WebSphere Application Server (WAS) before 7.0.0.15 does not properly handle trace requests, which has unspecified impact and attack vectors.

7.5CVSS6.5AI score0.00401EPSS

Total number of security vulnerabilities66