CVE-2009-0348

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The login module in Sun Java System Access Manager 6 2005Q1 (aka 6.3), 7 2005Q4 (aka 7.0), and 7.1 responds differently to a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.

References

http://secunia.com/advisories/33688

http://sunsolve.sun.com/search/document.do?assetkey=1-21-119465-15-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-242026-1

http://www.securityfocus.com/bid/33489

http://www.vupen.com/english/advisories/2009/0269

https://exchange.xforce.ibmcloud.com/vulnerabilities/48283

Details

Source: MITRE

Published: 2009-01-29

Updated: 2017-08-08

Type: CWE-200

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_windows:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_windows:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_windows:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_windows:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_windows:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_windows:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_windows:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_windows:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_windows:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_x86:*:*:*:*:*

Tenable Plugins

View all (19 total)

IDNameProductFamilySeverity
107950Solaris 10 (x86) : 126357-06NessusSolaris Local Security Checks
critical
107871Solaris 10 (x86) : 120955-12NessusSolaris Local Security Checks
critical
107821Solaris 10 (x86) : 119465-17NessusSolaris Local Security Checks
medium
107450Solaris 10 (sparc) : 126356-06NessusSolaris Local Security Checks
critical
107369Solaris 10 (sparc) : 120954-12NessusSolaris Local Security Checks
critical
107318Solaris 10 (sparc) : 119465-17NessusSolaris Local Security Checks
medium
5132Sun Java System Access Manager 7.1 < Patch 2 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
38126Solaris 10 (x86) : 120955-12 (deprecated)NessusSolaris Local Security Checks
critical
38005Solaris 9 (x86) : 120955-12NessusSolaris Local Security Checks
critical
37533Solaris 9 (sparc) : 120954-12NessusSolaris Local Security Checks
critical
37271Solaris 8 (sparc) : 120954-12NessusSolaris Local Security Checks
critical
36756Solaris 10 (sparc) : 120954-12 (deprecated)NessusSolaris Local Security Checks
critical
35618Sun OpenSSO / Java System Access Manager Login Module User Account Enumeration WeaknessNessusCGI abuses
medium
23611Solaris 9 (x86) : 119465-17NessusSolaris Local Security Checks
medium
23553Solaris 9 (sparc) : 119465-17NessusSolaris Local Security Checks
medium
23466Solaris 8 (x86) : 119465-17NessusSolaris Local Security Checks
medium
23415Solaris 8 (sparc) : 119465-17NessusSolaris Local Security Checks
medium
22989Solaris 10 (x86) : 119465-17 (deprecated)NessusSolaris Local Security Checks
medium
22956Solaris 10 (sparc) : 119465-17 (deprecated)NessusSolaris Local Security Checks
medium