BEA WebLogic Role Interpretation Privilege Escalation

2004-06-28T00:00:00
ID OSVDB:7278
Type osvdb
Reporter BEA Systems()
Modified 2004-06-28T00:00:00

Description

Vulnerability Description

BEA WebLogic Server and BEA WebLogic Express contain a flaw that may allow a malicious user to gain access to unauthorized resources. The issue is triggered when a Web application has specified a role of name * in a <role-name> tag contained within a <security-constraint> tag. This flaw may lead to a loss of Confidentiality.

Solution Description

Upgrade to versions 7.0 SP6, 8.1 SP3 or higher when they become available, as they have been reported to fix this vulnerability. The vendor has also released a set of patches that can be applied to version 7.0 SP5 and 8.1 SP2.

Short Description

BEA WebLogic Server and BEA WebLogic Express contain a flaw that may allow a malicious user to gain access to unauthorized resources. The issue is triggered when a Web application has specified a role of name * in a <role-name> tag contained within a <security-constraint> tag. This flaw may lead to a loss of Confidentiality.

References:

Vendor Specific Advisory URL Security Tracker: 1010602 Secunia Advisory ID:11959 ISS X-Force ID: 16534