This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Ibm First view 2001-09-19
Product Websphere Application Server Last view 2020-08-13
Version * Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:ibm:websphere_application_server

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
9.8 2020-08-13 CVE-2020-4589

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. The vulnerability only occurs if an undocumented customization has been applied by an administrator. IBM X-Force ID: 184585.

8.8 2020-07-17 CVE-2020-4464

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over the SOAP connector. IBM X-Force ID: 181489.

9.8 2020-06-05 CVE-2020-4450

IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181231.

7.5 2020-06-05 CVE-2020-4449

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 181230.

9.8 2020-06-05 CVE-2020-4448

IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 181228.

4.3 2020-05-14 CVE-2020-4365

IBM WebSphere Application Server 8.5 is vulnerable to server-side request forgery. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 178964.

5.4 2020-05-06 CVE-2020-4421

IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084.

4.3 2020-04-28 CVE-2020-4329

IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. IBM X-Force ID: 177841.

8.8 2020-04-10 CVE-2020-4362

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929.

6.1 2020-04-02 CVE-2020-4304

IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670.

6.1 2020-04-02 CVE-2020-4303

IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668.

7.5 2020-03-26 CVE-2020-4276

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984.

6.5 2020-02-05 CVE-2019-4670

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to obtain sensitive information caused by improper data representation. IBM X-Force ID: 171319.

7.2 2020-02-04 CVE-2020-4163

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under specialized conditions, could allow an authenticated user to create a maliciously crafted file name which would be misinterpreted as jsp content and executed. IBM X-Force ID: 174397.

7.5 2020-01-31 CVE-2019-4720

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125.

5.4 2019-12-10 CVE-2019-4663

IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245.

5.3 2019-10-03 CVE-2019-4441

IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177.

5.3 2019-09-30 CVE-2019-4305

IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie. IBM X-Force ID: 160951.

6.3 2019-09-30 CVE-2019-4304

IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. IBM X-Force ID: 160950.

5.3 2019-09-20 CVE-2019-4505

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Network Deployment could allow a remote attacker to obtain sensitive information, caused by sending a specially-crafted URL. This can lead the attacker to view any file in a certain directory. IBM X-Force ID: 164364.

6.5 2019-09-17 CVE-2019-4477

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a user with access to audit logs to obtain sensitive information, caused by improper handling of command line options. IBM X-Force ID: 163997.

4.3 2019-09-17 CVE-2019-4442

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9,0 could allow a remote attacker to traverse directories on the file system. An attacker could send a specially-crafted URL request to view arbitrary files on the system but not content. IBM X-Force ID: 163226.

3.5 2019-09-17 CVE-2019-4271

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin console is vulnerable to a Client-side HTTP parameter pollution vulnerability. IBM X-Force ID: 160243.

5.4 2019-09-17 CVE-2019-4270

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 160203.

5.3 2019-09-17 CVE-2019-4268

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 160201.

CWE : Common Weakness Enumeration

%idName
24% (22) CWE-200 Information Exposure
18% (17) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
7% (7) CWE-502 Deserialization of Untrusted Data
7% (7) CWE-264 Permissions, Privileges, and Access Controls
5% (5) CWE-399 Resource Management Errors
4% (4) CWE-310 Cryptographic Issues
4% (4) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
3% (3) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
3% (3) CWE-352 Cross-Site Request Forgery (CSRF)
3% (3) CWE-269 Improper Privilege Management
3% (3) CWE-20 Improper Input Validation
1% (1) CWE-668 Exposure of Resource to Wrong Sphere
1% (1) CWE-611 Information Leak Through XML External Entity File Disclosure
1% (1) CWE-565 Reliance on Cookies without Validation and Integrity Checking
1% (1) CWE-384 Session Fixation
1% (1) CWE-311 Missing Encryption of Sensitive Data
1% (1) CWE-287 Improper Authentication
1% (1) CWE-276 Incorrect Default Permissions
1% (1) CWE-255 Credentials Management
1% (1) CWE-254 Security Features
1% (1) CWE-209 Information Exposure Through an Error Message
1% (1) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
1% (1) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')

Open Source Vulnerability Database (OSVDB)

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
73378 IBM WebSphere Application Server (WAS) JavaServer Pages org.apache.jasper.run...
73354 IBM WebSphere Application Server (WAS) HTTP Transport SIP Proxy UDP Message S...
73353 IBM WebSphere Application Server (WAS) Messaging Engine JMS Receive Call NULL...
73352 IBM WebSphere Application Server (WAS) Service Integration Bus (SIB) Messagin...
73348 IBM WebSphere Application Server (WAS) Security Component ibm-application-bnd...
73346 IBM WebSphere Application Server (WAS) HTTP Server Plugin Trace Request XSS
73341 IBM WebSphere Application Server (WAS) Installer Temporary Log Directory Perm...
73052 IBM WebSphere Application Server Admin Security Disable CSRF
71456 IBM WebSphere Application Server IVT Unspecified XSS
65653 IBM WebSphere Application Server (WAS) on z/OS default_create.log BBOWWPFx Jo...
65652 IBM WebSphere Application Server (WAS) on z/OS Unspecified Link Injection
65651 IBM WebSphere Application Server (WAS) on z/OS Admin Console Unspecified XSS
63480 IBM WebSphere Application Server (WAS) Administration Console URI XSS
63308 IBM WebSphere Application Server Orb Client SSL Handshake Remote DoS
63307 IBM WebSphere Application Server J2CConnectionFactory Object Cleartext Passwo...
55079 IBM WebSphere Multiple Products Migration IsSecurityEnabled Flag Unspecified ...
55077 IBM WebSphere Application Server (WAS) Administrative Console Component Confi...
55076 IBM WebSphere Application Server (WAS) System Management/Repository Component...
55075 IBM WebSphere Application Server (WAS) Security Component Non-standard HTTP M...
55074 IBM WebSphere Application Server (WAS) Administrative Console Component Secur...
53979 IBM WebSphere Application Server (WAS) WebContainer Component Unspecified CRL...
52600 IBM WebSphere Application Server (WAS) Web Services WSPolicy IDAssertion.isUs...
52599 IBM WebSphere Application Server (WAS) on Windows JSP Handling Unspecified Ex...
52598 IBM WebSphere Application Server (WAS) Unspecified SSL Traffic Routing Weakness
52595 IBM WebSphere Application Server (WAS) PMI/Performance Tools PerfServlet Mult...

ExploitDB Exploits

id Description
17404 IBM WebSphere Application Server 7.0.0.13 CSRF Vulnerability

OpenVAS Exploits

id Description
2012-05-11 Name : IBM WebSphere Application Server 'plugin-key.kdb' Information Disclosure Vuln...
File : nvt/gb_ibm_was_plugin_key_info_disc_vuln.nasl
2011-07-22 Name : IBM WebSphere Application Server Multiple CSRF Vulnerabilities
File : nvt/secpod_ibm_was_admin_console_csrf_vuln.nasl
2011-03-22 Name : IBM WebSphere Application Server (WAS) Multiple Vulnerabilities - March 2011
File : nvt/gb_ibm_was_mult_vuln_mar11.nasl
2010-04-01 Name : IBM WebSphere Application Server multiple vulnerabilities
File : nvt/gb_ibm_websphere_mult_vuln.nasl

Information Assurance Vulnerability Management (IAVM)

id Description
2015-A-0158 Multiple Vulnerabilities in Oracle Java SE
Severity: Category I - VMSKEY: V0061089
2013-A-0220 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0042380

Snort® IPS/IDS

Date Description
2019-07-18 IBM WebSphere Application Server remote code execution attempt
RuleID : 50455 - Type : SERVER-WEBAPP - Revision : 2
2017-04-12 SSL/TLS weak RC4 cipher suite use attempt
RuleID : 41907 - Type : POLICY-OTHER - Revision : 3
2017-04-06 SSLv3 Client Hello attempt
RuleID : 41807 - Type : POLICY-OTHER - Revision : 3
2016-04-05 SSL/TLS weak RC4 cipher suite use attempt
RuleID : 37916 - Type : POLICY-OTHER - Revision : 3
2016-04-05 SSL/TLS weak RC4 cipher suite use attempt
RuleID : 37915 - Type : POLICY-OTHER - Revision : 3
2016-04-05 SSL/TLS weak RC4 cipher suite use attempt
RuleID : 37914 - Type : POLICY-OTHER - Revision : 3
2016-04-05 SSL/TLS weak RC4 cipher suite use attempt
RuleID : 37913 - Type : POLICY-OTHER - Revision : 3
2016-04-05 SSL/TLS weak RC4 cipher suite use attempt
RuleID : 37912 - Type : POLICY-OTHER - Revision : 3
2016-03-14 SSL/TLS weak RC4 cipher suite use attempt
RuleID : 37026 - Type : POLICY-OTHER - Revision : 4
2016-03-14 SSL/TLS weak RC4 cipher suite use attempt
RuleID : 37025 - Type : POLICY-OTHER - Revision : 4

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2017-12-04 Name: The remote host is missing a vendor-supplied security patch.
File: check_point_gaia_sk106499.nasl - Type: ACT_GATHER_INFO
2017-08-04 Name: The remote web application server is affected by a cross-site scripting vulne...
File: websphere_cve-2017-1380.nasl - Type: ACT_GATHER_INFO
2017-08-04 Name: The remote web application server is affected by an information disclosure vu...
File: websphere_cve-2017-1381.nasl - Type: ACT_GATHER_INFO
2017-08-04 Name: The remote web application server is affected by an insecure file permissions...
File: websphere_cve-2017-1382.nasl - Type: ACT_GATHER_INFO
2016-07-25 Name: The remote web server is affected by multiple vulnerabilities.
File: oracle_http_server_cpu_jul_2016.nasl - Type: ACT_GATHER_INFO
2016-07-19 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2016-1430.nasl - Type: ACT_GATHER_INFO
2016-07-14 Name: A video conferencing application running on the remote host is affected by mu...
File: cisco_telepresence_vcs_multiple_880.nasl - Type: ACT_GATHER_INFO
2016-06-23 Name: The remote device is affected by multiple vulnerabilities.
File: juniper_space_jsa10727.nasl - Type: ACT_GATHER_INFO
2016-06-16 Name: The remote host is affected by a security feature bypass vulnerability.
File: ibm_storwize_cve_2015_2808.nasl - Type: ACT_GATHER_INFO
2016-04-29 Name: The remote host is affected by multiple vulnerabilities.
File: hp_data_protector_hpsbgn03580.nasl - Type: ACT_GATHER_INFO
2016-03-17 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2016-0776-1.nasl - Type: ACT_GATHER_INFO
2016-03-16 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2016-0770-1.nasl - Type: ACT_GATHER_INFO
2016-03-04 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2016-0636-1.nasl - Type: ACT_GATHER_INFO
2016-03-01 Name: The remote AIX host has a version of Java SDK installed that is affected by m...
File: aix_java_jan2016_advisory.nasl - Type: ACT_GATHER_INFO
2016-02-29 Name: The remote AIX host is missing a vendor-supplied security patch.
File: aix_U867669.nasl - Type: ACT_GATHER_INFO
2016-02-12 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2016-0431-1.nasl - Type: ACT_GATHER_INFO
2016-02-12 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2016-0433-1.nasl - Type: ACT_GATHER_INFO
2016-02-11 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2016-0390-1.nasl - Type: ACT_GATHER_INFO
2016-02-03 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2016-0098.nasl - Type: ACT_GATHER_INFO
2016-02-03 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2016-0099.nasl - Type: ACT_GATHER_INFO
2016-02-03 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2016-0100.nasl - Type: ACT_GATHER_INFO
2016-02-03 Name: The remote Red Hat host is missing one or more security updates.
File: redhat-RHSA-2016-0101.nasl - Type: ACT_GATHER_INFO
2016-01-14 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2016-0113-1.nasl - Type: ACT_GATHER_INFO
2016-01-06 Name: The remote database server is affected by multiple vulnerabilities.
File: db2_105fp7_nix.nasl - Type: ACT_GATHER_INFO
2016-01-06 Name: The remote database server is affected by multiple vulnerabilities.
File: db2_105fp7_win.nasl - Type: ACT_GATHER_INFO