Vulnerability Name:

CVE-2009-2746 (CCN-54227)

Assigned:2009-11-13
Published:2009-11-13
Updated:2017-08-17
Summary:Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-352
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2009-2746

Source: CCN
Type: SA37221
IBM WebSphere Application Server for z/OS Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
37221

Source: CCN
Type: SA37772
IBM WebSphere Application Server Two Vulnerabilities

Source: CCN
Type: IBM Reference #: 7004980
Recommended fixes for WebSphere Application Server

Source: AIXAPAR
Type: UNKNOWN
PK87176

Source: AIXAPAR
Type: UNKNOWN
PK99477

Source: CCN
Type: IBM Support & downloads
PK99477: SHIP APAR FIXES FOR H28W700 FIX PACK 7.0.0.7.

Source: CONFIRM
Type: Patch
http://www-01.ibm.com/support/docview.wss?uid=swg27014463

Source: CCN
Type: OSVDB ID: 60197
IBM WebSphere Application Server (WAS) Administrative Console Security Component Unspecified CSRF

Source: XF
Type: UNKNOWN
was-adminconsole-csrf(54227)

Source: XF
Type: UNKNOWN
was-adminconsole-csrf(54227)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:websphere_application_server:6.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.9:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.10:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.11:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.12:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.13:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.14:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.15:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.16:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.17:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.18:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.19:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.20:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.21:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.22:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.23:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.24:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.25:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.27:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.28:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.29:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.30:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.31:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.32:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.33:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.35:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.0.2.37:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.13:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.25:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1.0.27:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:websphere_application_server:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm websphere application server 6.0.2
    ibm websphere application server 6.0.2.1
    ibm websphere application server 6.0.2.2
    ibm websphere application server 6.0.2.3
    ibm websphere application server 6.0.2.4
    ibm websphere application server 6.0.2.5
    ibm websphere application server 6.0.2.6
    ibm websphere application server 6.0.2.7
    ibm websphere application server 6.0.2.8
    ibm websphere application server 6.0.2.9
    ibm websphere application server 6.0.2.10
    ibm websphere application server 6.0.2.11
    ibm websphere application server 6.0.2.12
    ibm websphere application server 6.0.2.13
    ibm websphere application server 6.0.2.14
    ibm websphere application server 6.0.2.15
    ibm websphere application server 6.0.2.16
    ibm websphere application server 6.0.2.17
    ibm websphere application server 6.0.2.18
    ibm websphere application server 6.0.2.19
    ibm websphere application server 6.0.2.20
    ibm websphere application server 6.0.2.21
    ibm websphere application server 6.0.2.22
    ibm websphere application server 6.0.2.23
    ibm websphere application server 6.0.2.24
    ibm websphere application server 6.0.2.25
    ibm websphere application server 6.0.2.27
    ibm websphere application server 6.0.2.28
    ibm websphere application server 6.0.2.29
    ibm websphere application server 6.0.2.30
    ibm websphere application server 6.0.2.31
    ibm websphere application server 6.0.2.32
    ibm websphere application server 6.0.2.33
    ibm websphere application server 6.0.2.35
    ibm websphere application server 6.0.2.37
    ibm websphere application server 6.1
    ibm websphere application server 6.1.0
    ibm websphere application server 6.1.0.0
    ibm websphere application server 6.1.0.1
    ibm websphere application server 6.1.0.2
    ibm websphere application server 6.1.0.3
    ibm websphere application server 6.1.0.5
    ibm websphere application server 6.1.0.7
    ibm websphere application server 6.1.0.9
    ibm websphere application server 6.1.0.11
    ibm websphere application server 6.1.0.12
    ibm websphere application server 6.1.0.13
    ibm websphere application server 6.1.0.15
    ibm websphere application server 6.1.0.17
    ibm websphere application server 6.1.0.19
    ibm websphere application server 6.1.0.21
    ibm websphere application server 6.1.0.23
    ibm websphere application server 6.1.0.25
    ibm websphere application server 6.1.0.27
    ibm websphere application server 7.0
    ibm websphere application server 7.0.0.1
    ibm websphere application server 7.0.0.3
    ibm websphere application server 7.0.0.4
    ibm websphere application server 7.0.0.5
    ibm websphere application server 6.0
    ibm websphere application server 6.1
    ibm websphere application server 7.0