AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2009-0903: IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Feature Pack for Web Services for WAS 6.1 before 6.1.

infovulnerability

security

Source: NVD/CVE DatabaseJune 25, 2009CVE-2009-0903

Summary

IBM WebSphere Application Server (WAS) versions 7.0 before 7.0.0.3 and the Feature Pack for Web Services for WAS 6.1 before 6.1.0.25 have a vulnerability where they don't properly handle requests that are missing SOAPAction or WS-Addressing Action headers (fields that identify what action a web service request is performing) when WS-Security policies (security rules for web services) are set at the operation level. This allows attackers to send specially crafted requests that bypass the intended access restrictions.

Solution / Mitigation

Update to IBM WebSphere Application Server 7.0.0.3 or later, or update the Feature Pack for Web Services for WAS 6.1 to 6.1.0.25 or later.

Vulnerability Details

CVSS Score

7.5

EPSS (30-day exploit probability)

EPSS: 0.4%

Classification

Attack SophisticationModerate

Original source: https://nvd.nist.gov/vuln/detail/CVE-2009-0903

First tracked: February 15, 2026 at 08:43 PM

Classified by LLM (prompt v3) · confidence: 95%