PT-2004-1795 · Bea · Bea Weblogic Express+1
Published
2004-07-21
·
Updated
2017-07-11
·
CVE-2004-0715
CVSS v2.0
5.1
Medium
| Vector | AV:N/AC:H/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
BEA WebLogic Server versions 7.0 through SP4
BEA WebLogic Server versions 8.1 through SP2
BEA WebLogic Express versions 7.0 through SP4
BEA WebLogic Express versions 8.1 through SP2
Description
The issue arises from the WebLogic Authentication provider not properly clearing member relationships when a group is deleted. This can lead to a new group with the same name inheriting the members of the old group, potentially allowing group members to gain privileges.
Recommendations
For BEA WebLogic Server versions 7.0 through SP4, update the authentication provider to properly handle group deletions.
For BEA WebLogic Server versions 8.1 through SP2, update the authentication provider to properly handle group deletions.
For BEA WebLogic Express versions 7.0 through SP4, update the authentication provider to properly handle group deletions.
For BEA WebLogic Express versions 8.1 through SP2, update the authentication provider to properly handle group deletions.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Bea Weblogic Express
Bea Weblogic Server