CVE-2009-2713

MEDIUM

Description

The CDCServlet component in Sun Java System Access Manager 7.0 2005Q4 and 7.1, when Cross Domain Single Sign On (CDSSO) is enabled, does not ensure that "policy advice" is presented to the correct client, which allows remote attackers to obtain sensitive information via unspecified vectors.

References

http://secunia.com/advisories/36167

http://sunsolve.sun.com/search/document.do?assetkey=1-21-126356-03-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-255968-1

http://www.securityfocus.com/bid/35961

http://www.vupen.com/english/advisories/2009/2176

Details

Source: MITRE

Published: 2009-08-07

Updated: 2009-08-15

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_sparc:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_sparc:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_x86:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_x86:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_linux:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_linux:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4:*:windows:*:*:*:*:*

cpe:2.3:a:sun:java_system_access_manager:7.1:*:windows:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:sun:java_system_web_server:7.0:*:hp_ux:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:sun:java_system_access_manager:7.1:*:war:*:*:*:*:*

Tenable Plugins

View all (17 total)

IDNameProductFamilySeverity
107950Solaris 10 (x86) : 126357-06NessusSolaris Local Security Checks
critical
107871Solaris 10 (x86) : 120955-12NessusSolaris Local Security Checks
critical
107450Solaris 10 (sparc) : 126356-06NessusSolaris Local Security Checks
critical
107369Solaris 10 (sparc) : 120954-12NessusSolaris Local Security Checks
critical
44085Solaris 5.9 (x86) : 126356-03NessusSolaris Local Security Checks
critical
5133Sun Java System Access Manager 7.1 < Patch 3 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
38126Solaris 10 (x86) : 120955-12 (deprecated)NessusSolaris Local Security Checks
critical
38005Solaris 9 (x86) : 120955-12NessusSolaris Local Security Checks
critical
37533Solaris 9 (sparc) : 120954-12NessusSolaris Local Security Checks
critical
37271Solaris 8 (sparc) : 120954-12NessusSolaris Local Security Checks
critical
36756Solaris 10 (sparc) : 120954-12 (deprecated)NessusSolaris Local Security Checks
critical
30014Solaris 5.9 (x86) : 126357-03NessusSolaris Local Security Checks
critical
30013Solaris 5.9 (sparc) : 126356-03NessusSolaris Local Security Checks
critical
30012Solaris 5.8 (x86) : 126357-03NessusSolaris Local Security Checks
critical
30011Solaris 5.8 (sparc) : 126356-03NessusSolaris Local Security Checks
critical
30010Solaris 5.10 (x86) : 126357-03NessusSolaris Local Security Checks
critical
30007Solaris 5.10 (sparc) : 126356-03NessusSolaris Local Security Checks
critical