PT-2004-1793 · Bea · Weblogic Express+1
Published
2004-07-21
·
Updated
2017-07-11
·
CVE-2004-0713
CVSS v2.0
6.4
Medium
| Vector | AV:N/AC:L/Au:N/C:N/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
BEA WebLogic Server and WebLogic Express versions 6.1 through SP6
BEA WebLogic Server and WebLogic Express versions 7.0 through SP4
BEA WebLogic Server and WebLogic Express versions 8.1 through SP2
Description
The issue is related to the remove method in a stateful Enterprise JavaBean (EJB) which does not properly check EJB permissions before unexporting a bean. This allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown.
Recommendations
For BEA WebLogic Server and WebLogic Express versions 6.1 through SP6, update to a version that includes the security fix.
For BEA WebLogic Server and WebLogic Express versions 7.0 through SP4, update to a version that includes the security fix.
For BEA WebLogic Server and WebLogic Express versions 8.1 through SP2, update to a version that includes the security fix.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Bea Weblogic Server
Weblogic Express