CVE-2016-2923

high

Description

IBM WebSphere Application Server (WAS) 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified JAX-RS API cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

References

http://www.securityfocus.com/bid/91518

http://www-01.ibm.com/support/docview.wss?uid=swg21983700

http://www-01.ibm.com/support/docview.wss?uid=swg1PI61936

Details

Source: Mitre, NVD

Published: 2016-07-07

Updated: 2026-05-06

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.00278