MitreCVELIST:CVE-2009-1077CVE-2009-1077
The Change My Password implementation in the admin interface in Sun Java System Identity Manager (IdM) 7.0 through 8.0 does not enforce the RequiresChallenge property setting, which allows remote authenticated users to change the passwords of other users, as demonstrated by changing the administratorβs password.
References
blogs.sun.com/security/entry/sun_alert_253267_sun_java
secunia.com/advisories/34380
securitytracker.com/id?1021881
sunsolve.sun.com/search/document.do?assetkey=1-21-137621-11-1
sunsolve.sun.com/search/document.do?assetkey=1-21-139010-06-1
sunsolve.sun.com/search/document.do?assetkey=1-21-140935-01-1
sunsolve.sun.com/search/document.do?assetkey=1-21-140936-01-1
sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1
www.securityfocus.com/bid/34191
www.vupen.com/english/advisories/2009/0797
Related
