CVE-2009-2088

IBM WebSphere Application Server <7.0.0.5 - Auth Bypass

Title source: llm

Description

The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a "secure URL," related to a certain invokefilterscompatibility property.

References (5)

[Vendor Advisory] http://www-01.ibm.com/support/docview.wss?uid=swg24022479

[Patch] http://www-01.ibm.com/support/docview.wss?uid=swg27007951

[Patch] http://www-01.ibm.com/support/docview.wss?uid=swg27014463

[Various Sources] http://www-1.ibm.com/support/docview.wss?uid=swg1PK77465

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/52079

Scores

EPSS 0.0055

EPSS Percentile 67.8%

Classification

CWE

CWE-287

Status draft

Affected Products (31)

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

ibm/websphere_application_server

... and 16 more

Timeline

Published Aug 13, 2009

Tracked Since Feb 18, 2026