CVE-2009-1172

IBM WebSphere Application Server 6.1-7.0 - Improper Input Validation in JAX-RPC WS-Security UsernameToken

Title source: llm
STIX 2.1

Description

The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3, when APAR PK41002 is installed, does not properly validate UsernameToken objects, which has unknown impact and attack vectors.

References (7)

Core 7
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34131
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34461
Various Sources vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1PK75992
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21367223
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/34502

Scores

EPSS 0.0183
EPSS Percentile 76.3%

Details

CWE
CWE-20
Status published
Products (27)
ibm/websphere_application_server 6.1
ibm/websphere_application_server 6.1.0
ibm/websphere_application_server 6.1.0.0
ibm/websphere_application_server 6.1.0.1
ibm/websphere_application_server 6.1.0.2
ibm/websphere_application_server 6.1.0.3
ibm/websphere_application_server 6.1.0.4
ibm/websphere_application_server 6.1.0.5
ibm/websphere_application_server 6.1.0.6
ibm/websphere_application_server 6.1.0.7
... and 17 more
Published Mar 31, 2009
Tracked Since Feb 18, 2026