CVE-2004-0470

Name of the Vulnerable Software and Affected Versions BEA WebLogic Server and WebLogic Express versions 7.0 through SP5 and 8.1 through SP2

Description The issue arises when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method. If weblogic.xml does not have a principal-name tag, security-role-assignment tags are inadvertently removed. This can lead to the removal of intended access restrictions for the associated web application.

Recommendations For versions 7.0 through SP5 and 8.1 through SP2, ensure that a principal-name tag is present in weblogic.xml before editing it using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method to prevent the removal of security-role-assignment tags. As a temporary workaround, consider manually adding the necessary security-role-assignment tags after editing weblogic.xml to maintain intended access restrictions.