CVE-2009-0892

IBM Websphere Application Server - Authentication Bypass

Title source: rule

Description

The administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3 allows attackers to hijack user sessions in "specific scenarios" related to a forced logout.

References (6)

[Vendor Advisory] http://secunia.com/advisories/34131

[Various Sources] http://www-01.ibm.com/support/docview.wss?uid=swg1PK74966

[Patch] http://www-01.ibm.com/support/docview.wss?uid=swg27007951

[Patch] http://www-01.ibm.com/support/docview.wss?uid=swg27014463

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/49499

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/34501

Scores

EPSS 0.0038

EPSS Percentile 58.9%

Classification

CWE

CWE-287

Status draft

Affected Products (27)

ibm/websphere_application_server

... and 12 more

Timeline

Published Mar 31, 2009

Tracked Since Feb 18, 2026