CVE-2004-0470 - OpenCVE

BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Bea	Weblogic Server

Configuration 1 [-]

OR	cpe:2.3:a:bea:weblogic_server:7.0:::::::*
	cpe:2.3:a:bea:weblogic_server:7.0::express:::::
	cpe:2.3:a:bea:weblogic_server:8.1:::::::*
	cpe:2.3:a:bea:weblogic_server:8.1::express:::::

References

Link	Resource
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp	Patch Vendor Advisory
http://secunia.com/advisories/11593
http://securitytracker.com/id?1010128
http://www.kb.cert.org/vuls/id/950070	Third Party Advisory US Government Resource
http://www.osvdb.org/6076
http://www.securityfocus.com/bid/10328
https://exchange.xforce.ibmcloud.com/vulnerabilities/16123

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2004-05-20T04:00:00

Updated: 2017-07-10T14:57:01

Reserved: 2004-05-13T00:00:00

Link: CVE-2004-0470

JSON object: View

NVD Information

Status : Modified

Published: 2004-07-07T04:00:00.000

Modified: 2017-07-11T01:30:11.150

Link: CVE-2004-0470

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2004-05-11T00:00:00", "descriptions": [{"lang": "en", "value": "BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-10T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "11593", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/11593"}, {"name": "weblogic-application-unauth-access(16123)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16123"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp"}, {"name": "1010128", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1010128"}, {"name": "6076", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/6076"}, {"name": "VU#950070", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/950070"}, {"name": "10328", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/10328"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2004-0470", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "11593", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/11593"}, {"name": "weblogic-application-unauth-access(16123)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16123"}, {"name": "http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp", "refsource": "CONFIRM", "url": "http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp"}, {"name": "1010128", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1010128"}, {"name": "6076", "refsource": "OSVDB", "url": "http://www.osvdb.org/6076"}, {"name": "VU#950070", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/950070"}, {"name": "10328", "refsource": "BID", "url": "http://www.securityfocus.com/bid/10328"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2004-0470", "datePublished": "2004-05-20T04:00:00", "dateReserved": "2004-05-13T00:00:00", "dateUpdated": "2017-07-10T14:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bea:weblogic_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "F9C5AFCF-79D8-4005-B800-B0C6BD461276", "vulnerable": true}, {"criteria": "cpe:2.3:a:bea:weblogic_server:7.0:*:express:*:*:*:*:*", "matchCriteriaId": "FBDF3AC0-0680-4EEE-898C-47D194667BE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:bea:weblogic_server:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "E08D4CEA-9ACC-4869-BC87-3524A059914F", "vulnerable": true}, {"criteria": "cpe:2.3:a:bea:weblogic_server:8.1:*:express:*:*:*:*:*", "matchCriteriaId": "ADED8968-EA9C-4F0E-AD2F-BC834F4D8A58", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application."}, {"lang": "es", "value": "BEA WebLogic Server y WebLocic Express 7.0 hasta SP5 y 8.1 hasta SP2, cuando se edita weblogic.xml usando WebLocic Builder o el m\u00e9todo SecurityRoleAssignmentMBean.toXML, quita de manera inadvertida etiquetas de asignaci\u00f3n de papel de seguridad cuando weblogic.xml no tiene una etiqueta de nombre principal, lo que puede eliminar las restricciones de acceso pretendidas para la aplicaci\u00f3n web asociada."}], "id": "CVE-2004-0470", "lastModified": "2017-07-11T01:30:11.150", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2004-07-07T04:00:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/11593"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1010128"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/950070"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/6076"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/10328"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16123"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}