Lucene search

[email protected]CVE-2004-0470

HistoryJul 07, 2004 - 4:00 a.m.

CVE-2004-0470

2004-07-0704:00:00

[email protected]

web.nvd.nist.gov

cve-2004-0470

bea weblogic server

weblogic express

security role assignment

access restrictions

nvd

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.1 High

AI Score

Confidence

Low

0.006 Low

EPSS

Percentile

77.6%

JSON

BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application.

Affected configurations

NVD

Node

beaweblogic_serverMatch7.0

beaweblogic_serverMatch7.0express

beaweblogic_serverMatch8.1

beaweblogic_serverMatch8.1express

CPENameOperatorVersion
bea:weblogic_serverbea weblogic servereq7.0
bea:weblogic_serverbea weblogic servereq8.1

CPE	Name	Operator	Version
bea:weblogic_server	bea weblogic server	eq	7.0
bea:weblogic_server	bea weblogic server	eq	8.1

References

dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp

secunia.com/advisories/11593

securitytracker.com/id?1010128

www.kb.cert.org/vuls/id/950070

www.osvdb.org/6076

www.securityfocus.com/bid/10328

exchange.xforce.ibmcloud.com/vulnerabilities/16123

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.1 High

AI Score

Confidence

Low

0.006 Low

EPSS

Percentile

77.6%

JSON

Related for CVE-2004-0470

nvd1 cvelist1