CVE-2009-1172
IBM WebSphere Application Server 6.1-7.0 - Improper Input Validation in JAX-RPC WS-Security UsernameToken
Title source: llmDescription
The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3, when APAR PK41002 is installed, does not properly validate UsernameToken objects, which has unknown impact and attack vectors.
References (7)
Core 7
Core References
Patch x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg27007951
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/34131
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/34461
Various Sources vendor-advisory
x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1PK75992
Patch x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg27014463
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21367223
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/34502
Scores
EPSS
0.0183
EPSS Percentile
76.3%
Details
CWE
CWE-20
Status
published
Products (27)
ibm/websphere_application_server
6.1
ibm/websphere_application_server
6.1.0
ibm/websphere_application_server
6.1.0.0
ibm/websphere_application_server
6.1.0.1
ibm/websphere_application_server
6.1.0.2
ibm/websphere_application_server
6.1.0.3
ibm/websphere_application_server
6.1.0.4
ibm/websphere_application_server
6.1.0.5
ibm/websphere_application_server
6.1.0.6
ibm/websphere_application_server
6.1.0.7
... and 17 more
Published
Mar 31, 2009
Tracked Since
Feb 18, 2026