PT-2008-2514 · Bea · Bea Weblogic Server

Published

2008-02-22

Updated

2011-03-08

CVE-2008-0900

CVSS v2.0

6.0

Medium

Vector

AV:N/AC:M/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions BEA WebLogic Server and Express versions 8.1 SP4 through SP6 BEA WebLogic Server and Express versions 9.2 through MP1 BEA WebLogic Server and Express version 10.0

Description A session fixation issue allows remote authenticated users to hijack web sessions. The exact vectors used for the hijacking are not specified.

Recommendations For versions 8.1 SP4 through SP6, update to a version outside of this range to resolve the issue. For versions 9.2 through MP1, update to a version beyond MP1 to address the problem. For version 10.0, update to a newer version to fix the issue. As a temporary workaround, consider implementing additional session validation to minimize the risk of session hijacking.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2008-0900

Affected Products

Bea Weblogic Server

PT-2008-2514 · Bea · Bea Weblogic Server

CVE-2008-0900

Weakness Enumeration

Related Identifiers

Affected Products

References · 6