CVE-2009-1172

The JAX-RPC WS-Security runtime in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.23 and 7.0 before 7.0.0.3, when APAR PK41002 is installed, does not properly validate UsernameToken objects, which has unknown impact and attack vectors.

Published: Mar 31, 2009
Updated: Apr 13, 2023
CVE: CVE-2009-1172
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 10
AV:N/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
ibm / websphere_application_server	6.1.0.21	6.1.0.21.x
ibm / websphere_application_server	6.1	6.1.x
ibm / websphere_application_server	6.1.0.22	6.1.0.22.x
ibm / websphere_application_server	6.1.0.19	6.1.0.19.x
ibm / websphere_application_server	6.1.0.2	6.1.0.2.x
ibm / websphere_application_server	6.1.0.4	6.1.0.4.x
ibm / websphere_application_server	6.1.0.11	6.1.0.11.x
ibm / websphere_application_server	7.0	7.0.x
ibm / websphere_application_server	6.1.0.14	6.1.0.14.x
ibm / websphere_application_server	6.1.0.20	6.1.0.20.x
ibm / websphere_application_server	6.1.0.9	6.1.0.9.x
ibm / websphere_application_server	6.1.0.0	6.1.0.0.x
ibm / websphere_application_server	6.1.0.1	6.1.0.1.x
ibm / websphere_application_server	6.1.0.7	6.1.0.7.x
ibm / websphere_application_server	6.1.0.3	6.1.0.3.x
ibm / websphere_application_server	6.1.0.17	6.1.0.17.x
ibm / websphere_application_server	6.1.0.13	6.1.0.13.x
ibm / websphere_application_server	6.1.0.16	6.1.0.16.x
ibm / websphere_application_server	6.1.0.6	6.1.0.6.x
ibm / websphere_application_server	6.1.0.10	6.1.0.10.x
ibm / websphere_application_server	6.1.0.8	6.1.0.8.x
ibm / websphere_application_server	6.1.0.15	6.1.0.15.x
ibm / websphere_application_server	6.1.0.18	6.1.0.18.x
ibm / websphere_application_server	7.0.0.1	7.0.0.1.x
ibm / websphere_application_server	6.1.0	6.1.0.x
ibm / websphere_application_server	6.1.0.5	6.1.0.5.x
ibm / websphere_application_server	6.1.0.12	6.1.0.12.x

Vulnerability Database

290,020

CVE-2009-1172