CVE-2009-3960 - OpenCVE

Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Adobe	Lifecycle Flex Data Services Lifecycle Data Services Coldfusion Blazeds

Configuration 1 [-]

OR	cpe:2.3:a:adobe:blazeds::::::::
	cpe:2.3:a:adobe:coldfusion:7.0.2:::::::*
	cpe:2.3:a:adobe:coldfusion:8.0:::::::*
	cpe:2.3:a:adobe:coldfusion:8.0.1:::::::*
	cpe:2.3:a:adobe:coldfusion:9.0:::::::*
	cpe:2.3:a:adobe:flex_data_services:2.0.1:::::::*
	cpe:2.3:a:adobe:lifecycle:8.0.1:::::::*
	cpe:2.3:a:adobe:lifecycle:8.2.1:::::::*
	cpe:2.3:a:adobe:lifecycle:9.0:::::::*
	cpe:2.3:a:adobe:lifecycle_data_services:2.5.1:::::::*
	cpe:2.3:a:adobe:lifecycle_data_services:2.6.1:::::::*
	cpe:2.3:a:adobe:lifecycle_data_services:3.0:::::::*

References

Link	Resource
http://secunia.com/advisories/38543
http://securitytracker.com/id?1023584
http://www.adobe.com/support/security/bulletins/apsb10-05.html	Vendor Advisory
http://www.osvdb.org/62292
http://www.securityfocus.com/bid/38197
https://www.exploit-db.com/exploits/41855/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: adobe

Published: 2010-02-15T18:00:00

Updated: 2017-08-15T09:57:01

Reserved: 2009-11-16T00:00:00

Link: CVE-2009-3960

JSON object: View

NVD Information

Status : Modified

Published: 2010-02-15T18:30:00.407

Modified: 2017-08-16T01:29:00.447

Link: CVE-2009-3960

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-02-11T00:00:00", "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-15T09:57:01", "orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe"}, "references": [{"name": "38197", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/38197"}, {"name": "1023584", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1023584"}, {"name": "62292", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/62292"}, {"name": "38543", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/38543"}, {"name": "41855", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/41855/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.adobe.com/support/security/bulletins/apsb10-05.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@adobe.com", "ID": "CVE-2009-3960", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "38197", "refsource": "BID", "url": "http://www.securityfocus.com/bid/38197"}, {"name": "1023584", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1023584"}, {"name": "62292", "refsource": "OSVDB", "url": "http://www.osvdb.org/62292"}, {"name": "38543", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38543"}, {"name": "41855", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/41855/"}, {"name": "http://www.adobe.com/support/security/bulletins/apsb10-05.html", "refsource": "CONFIRM", "url": "http://www.adobe.com/support/security/bulletins/apsb10-05.html"}]}}}}, "cveMetadata": {"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "assignerShortName": "adobe", "cveId": "CVE-2009-3960", "datePublished": "2010-02-15T18:00:00", "dateReserved": "2009-11-16T00:00:00", "dateUpdated": "2017-08-15T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"cisaActionDue": "2022-09-07", "cisaExploitAdd": "2022-03-07", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Adobe BlazeDS Information Disclosure Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:blazeds:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEF7C97E-BE99-415D-B12B-D3E7BD9EDF08", "versionEndIncluding": "3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "B015715F-9672-480E-B0AA-968D8C9070D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "DD6C1877-7412-4FBE-9641-334971F9D153", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:8.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "28C8D6AF-EDE1-42BD-A47C-2EF8690299BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:coldfusion:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "113431FB-E4BE-4416-800C-6B13AD1C0E92", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:flex_data_services:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "B6F65E3F-F3E7-4BE9-A13B-87FFF3B3777E", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:lifecycle:8.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "2A1EAAD5-7A00-4EC3-9F97-D2965E2569D8", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:lifecycle:8.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "D227BD60-5882-4C73-A642-EEE1E485FC48", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:lifecycle:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "3824D1B3-CE8E-488C-B241-BBD764C935F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:lifecycle_data_services:2.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "EDF0B56D-E982-44CE-92E8-DA696E33717A", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:lifecycle_data_services:2.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "18CBBE17-8E63-4A48-997B-850702442394", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:lifecycle_data_services:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "3080073F-5BF3-415D-917A-C04DDCEEB311", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents."}, {"lang": "es", "value": "Vulnerabilidad sin especificar en BlazeDS v3.2 y anteriores, tal como es utilizado en LiveCycle v8.0.1, v8.2.1 y v9.0, LiveCycle Data Services v2.5.1, v2.6.1 y v3.0, Flex Data Services v2.0.1 y ColdFusion v7.0.2, v8.0, v8.0.1 y v9.0. Permite a atacantes remotos obtener informaci\u00f3n confidencial a trav\u00e9s de vectores de ataque asociados con una petici\u00f3n, y relacionados con una etiqueta inyectada y una referencia a una entidad externa en documentos XML."}], "id": "CVE-2009-3960", "lastModified": "2017-08-16T01:29:00.447", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2010-02-15T18:30:00.407", "references": [{"source": "psirt@adobe.com", "url": "http://secunia.com/advisories/38543"}, {"source": "psirt@adobe.com", "url": "http://securitytracker.com/id?1023584"}, {"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "http://www.adobe.com/support/security/bulletins/apsb10-05.html"}, {"source": "psirt@adobe.com", "url": "http://www.osvdb.org/62292"}, {"source": "psirt@adobe.com", "url": "http://www.securityfocus.com/bid/38197"}, {"source": "psirt@adobe.com", "url": "https://www.exploit-db.com/exploits/41855/"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}