PT-2005-5430 · Bea · Bea Weblogic Server+1

Published

2005-12-31

Updated

2008-09-05

CVE-2005-4767

CVSS v2.0

5.1

Medium

Vector

AV:N/AC:H/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions BEA WebLogic Server and WebLogic Express versions 7.0 SP6 and earlier, 8.1 SP5 and earlier

Description The issue allows remote attackers to guess the password more easily because it does not lock out a username after the maximum number of invalid login attempts when using username/password authentication.

Recommendations For versions 7.0 SP6 and earlier, and 8.1 SP5 and earlier, consider implementing a custom authentication mechanism to lock out usernames after a specified number of invalid login attempts as a temporary workaround. Restrict access to the authentication module to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-4767

Affected Products

Bea Weblogic Server

Weblogic Express

PT-2005-5430 · Bea · Bea Weblogic Server+1

CVE-2005-4767

Related Identifiers

Affected Products

References · 7