CVE-2009-2085

IBM WebSphere Application Server <6.1.0.25-7.0.0.5 - Auth Bypass

Title source: llm

Description

The Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5 does not properly handle use of Identity Assertion with CSIv2 Security, which allows remote attackers to bypass intended CSIv2 access restrictions via vectors involving Enterprise JavaBeans (EJB).

References (4)

[Patch] http://www-01.ibm.com/support/docview.wss?uid=swg27007951

[Patch] http://www-01.ibm.com/support/docview.wss?uid=swg27014463

[Various Sources] http://www-1.ibm.com/support/docview.wss?uid=swg1PK83097

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/52076

Scores

EPSS 0.0032

EPSS Percentile 54.8%

Classification

CWE

CWE-287

Status draft

Affected Products (31)

ibm/websphere_application_server

... and 16 more

Timeline

Published Aug 13, 2009

Tracked Since Feb 18, 2026