CVE Vulnerabilities

CVE-2009-2088

Improper Authentication

Published: Aug 13, 2009 | Modified: Aug 17, 2017
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

The Servlet Engine/Web Container component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, when SPNEGO Single Sign-on (SSO) and disableSecurityPreInvokeOnFilters are configured, allows remote attackers to bypass authentication via a request for a secure URL, related to a certain invokefilterscompatibility property.

Weakness

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Websphere_application_server Ibm 6.1 6.1
Websphere_application_server Ibm 6.1.0 6.1.0
Websphere_application_server Ibm 6.1.0.0 6.1.0.0
Websphere_application_server Ibm 6.1.0.1 6.1.0.1
Websphere_application_server Ibm 6.1.0.2 6.1.0.2
Websphere_application_server Ibm 6.1.0.3 6.1.0.3
Websphere_application_server Ibm 6.1.0.4 6.1.0.4
Websphere_application_server Ibm 6.1.0.5 6.1.0.5
Websphere_application_server Ibm 6.1.0.6 6.1.0.6
Websphere_application_server Ibm 6.1.0.7 6.1.0.7
Websphere_application_server Ibm 6.1.0.8 6.1.0.8
Websphere_application_server Ibm 6.1.0.9 6.1.0.9
Websphere_application_server Ibm 6.1.0.10 6.1.0.10
Websphere_application_server Ibm 6.1.0.11 6.1.0.11
Websphere_application_server Ibm 6.1.0.12 6.1.0.12
Websphere_application_server Ibm 6.1.0.13 6.1.0.13
Websphere_application_server Ibm 6.1.0.14 6.1.0.14
Websphere_application_server Ibm 6.1.0.15 6.1.0.15
Websphere_application_server Ibm 6.1.0.16 6.1.0.16
Websphere_application_server Ibm 6.1.0.17 6.1.0.17
Websphere_application_server Ibm 6.1.0.18 6.1.0.18
Websphere_application_server Ibm 6.1.0.19 6.1.0.19
Websphere_application_server Ibm 6.1.0.20 6.1.0.20
Websphere_application_server Ibm 6.1.0.21 6.1.0.21
Websphere_application_server Ibm 6.1.0.22 6.1.0.22
Websphere_application_server Ibm 6.1.0.23 6.1.0.23
Websphere_application_server Ibm 6.1.0.24 6.1.0.24
Websphere_application_server Ibm 7.0 7.0
Websphere_application_server Ibm 7.0.0.1 7.0.0.1
Websphere_application_server Ibm 7.0.0.3 7.0.0.3
Websphere_application_server Ibm 7.0.0.4 7.0.0.4

Potential Mitigations

References