CVE-2009-0891
IBM WebSphere Application Server 6.0.2-6.1.0.22 and 7.0 - Session Hijacking via WS-Security Bypass
Title source: llmDescription
The Web Services Security component in IBM WebSphere Application Server 7.0 before Fix Pack 1 (7.0.0.1), 6.1 before Fix Pack 23 (6.1.0.23),and 6.0.2 before Fix Pack 33 (6.0.2.33) does not properly enforce (1) nonce and (2) timestamp expiration values in WS-Security bindings as stored in the com.ibm.wsspi.wssecurity.core custom property, which allows remote authenticated users to conduct session hijacking attacks.
References (6)
Core 6
Core References
Patch x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg27007951
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/34131
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/49391
Patch x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg27006876
Patch x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg27014463
Various Sources vendor-advisory
x_refsource_aixapar
http://www-1.ibm.com/support/search.wss?rs=0&q=PK66676&apar=only
Scores
EPSS
0.0176
EPSS Percentile
75.2%
Details
CWE
CWE-287
Status
published
Products (49)
ibm/websphere_application_server
6.0.2 (2 CPE variants)
ibm/websphere_application_server
6.0.2.1
ibm/websphere_application_server
6.0.2.2
ibm/websphere_application_server
6.0.2.3
ibm/websphere_application_server
6.0.2.4
ibm/websphere_application_server
6.0.2.5
ibm/websphere_application_server
6.0.2.6
ibm/websphere_application_server
6.0.2.7
ibm/websphere_application_server
6.0.2.8
ibm/websphere_application_server
6.0.2.9
... and 39 more
Published
Mar 25, 2009
Tracked Since
Feb 18, 2026