Veracode Vulnerability DatabaseVERACODE:23753Authentication Bypass
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
java is vulnerable to authentication bypass. A flaw was found in the way the XML Digital Signature implementation in the JRE handled HMAC-based XML signatures. An attacker could use this flaw to create a crafted signature that could allow them to bypass authentication, or trick a user, applet, or application into accepting untrusted content.
References
blogs.sun.com/security/entry/advance_notification_of_security_updates5
blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7
lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html
marc.info/?l=bugtraq&m=125787273209737&w=2
osvdb.org/55895
osvdb.org/55907
secunia.com/advisories/34461
secunia.com/advisories/35776
secunia.com/advisories/35852
secunia.com/advisories/35853
secunia.com/advisories/35854
secunia.com/advisories/35855
secunia.com/advisories/35858
secunia.com/advisories/36162
secunia.com/advisories/36176
secunia.com/advisories/36180
secunia.com/advisories/36494
secunia.com/advisories/37300
secunia.com/advisories/37671
secunia.com/advisories/37841
secunia.com/advisories/38567
secunia.com/advisories/38568
secunia.com/advisories/38695
secunia.com/advisories/38921
secunia.com/advisories/41818
secunia.com/advisories/60799
sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
sunsolve.sun.com/search/document.do?assetkey=1-66-263429-1
sunsolve.sun.com/search/document.do?assetkey=1-66-269208-1
sunsolve.sun.com/search/document.do?assetkey=1-77-1020710.1-1
svn.apache.org/viewvc?revision=794013&view=revision
www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023545&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D400&uid=swg24023723&loc=en_US&cs=UTF-8&lang=en&rss=ct180websphere
www-01.ibm.com/support/docview.wss?rs=180&uid=swg21384925
www.aleksey.com/xmlsec/
www.debian.org/security/2010/dsa-1995
www.gentoo.org/security/en/glsa/glsa-201408-19.xml
www.kb.cert.org/vuls/id/466161
www.kb.cert.org/vuls/id/MAPG-7TSKXQ
www.kb.cert.org/vuls/id/WDON-7TY529
www.mandriva.com/security/advisories?name=MDVSA-2009:209
www.mono-project.com/Vulnerabilities
www.openoffice.org/security/cves/CVE-2009-0217.html
www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
www.redhat.com/security/updates/classification/#important
www.redhat.com/support/errata/RHSA-2009-1694.html
www.securityfocus.com/bid/35671
www.securitytracker.com/id?1022561
www.securitytracker.com/id?1022567
www.securitytracker.com/id?1022661
www.ubuntu.com/usn/USN-903-1
www.us-cert.gov/cas/techalerts/TA09-294A.html
www.us-cert.gov/cas/techalerts/TA10-159B.html
www.vupen.com/english/advisories/2009/1900
www.vupen.com/english/advisories/2009/1908
www.vupen.com/english/advisories/2009/1909
www.vupen.com/english/advisories/2009/1911
www.vupen.com/english/advisories/2009/2543
www.vupen.com/english/advisories/2009/3122
www.vupen.com/english/advisories/2010/0366
www.vupen.com/english/advisories/2010/0635
www.w3.org/2008/06/xmldsigcore-errata.html#e03
www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
access.redhat.com/errata/RHSA-2009:1201
bugzilla.redhat.com/show_bug.cgi?id=511915
docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-041
issues.apache.org/bugzilla/show_bug.cgi?id=47526
issues.apache.org/bugzilla/show_bug.cgi?id=47527
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10186
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7158
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8717
rhn.redhat.com/errata/RHSA-2009-1200.html
rhn.redhat.com/errata/RHSA-2009-1201.html
rhn.redhat.com/errata/RHSA-2009-1428.html
rhn.redhat.com/errata/RHSA-2009-1636.html
rhn.redhat.com/errata/RHSA-2009-1637.html
rhn.redhat.com/errata/RHSA-2009-1649.html
rhn.redhat.com/errata/RHSA-2009-1650.html
usn.ubuntu.com/826-1/
www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
www.redhat.com/archives/fedora-package-announce/2009-August/msg00494.html
www.redhat.com/archives/fedora-package-announce/2009-August/msg00505.html
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N