CVE-2004-0470 - OpenCVE

BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bea	Weblogic Server

Configuration 1 [-]

OR	cpe:2.3:a:bea:weblogic_server:7.0:::::::*
	cpe:2.3:a:bea:weblogic_server:7.0::express:::::
	cpe:2.3:a:bea:weblogic_server:8.1:::::::*
	cpe:2.3:a:bea:weblogic_server:8.1::express:::::

No data.

References

Link	Providers
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp
http://secunia.com/advisories/11593
http://securitytracker.com/id?1010128
http://www.kb.cert.org/vuls/id/950070
http://www.osvdb.org/6076
http://www.securityfocus.com/bid/10328
https://exchange.xforce.ibmcloud.com/vulnerabilities/16123

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2004-05-20T04:00:00

Updated: 2024-08-08T00:17:14.973Z

Reserved: 2004-05-13T00:00:00

Link: CVE-2004-0470

Vulnrichment

No data.

NVD

Status : Modified

Published: 2004-07-07T04:00:00.000

Modified: 2017-07-11T01:30:11.150

Link: CVE-2004-0470

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2004-05-11T00:00:00", "descriptions": [{"lang": "en", "value": "BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-10T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "11593", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/11593"}, {"name": "weblogic-application-unauth-access(16123)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16123"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp"}, {"name": "1010128", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1010128"}, {"name": "6076", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/6076"}, {"name": "VU#950070", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/950070"}, {"name": "10328", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/10328"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2004-0470", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "11593", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/11593"}, {"name": "weblogic-application-unauth-access(16123)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16123"}, {"name": "http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp", "refsource": "CONFIRM", "url": "http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp"}, {"name": "1010128", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1010128"}, {"name": "6076", "refsource": "OSVDB", "url": "http://www.osvdb.org/6076"}, {"name": "VU#950070", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/950070"}, {"name": "10328", "refsource": "BID", "url": "http://www.securityfocus.com/bid/10328"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T00:17:14.973Z"}, "title": "CVE Program Container", "references": [{"name": "11593", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/11593"}, {"name": "weblogic-application-unauth-access(16123)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16123"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp"}, {"name": "1010128", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1010128"}, {"name": "6076", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/6076"}, {"name": "VU#950070", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/950070"}, {"name": "10328", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/10328"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2004-0470", "datePublished": "2004-05-20T04:00:00", "dateReserved": "2004-05-13T00:00:00", "dateUpdated": "2024-08-08T00:17:14.973Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bea:weblogic_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "F9C5AFCF-79D8-4005-B800-B0C6BD461276", "vulnerable": true}, {"criteria": "cpe:2.3:a:bea:weblogic_server:7.0:*:express:*:*:*:*:*", "matchCriteriaId": "FBDF3AC0-0680-4EEE-898C-47D194667BE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:bea:weblogic_server:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "E08D4CEA-9ACC-4869-BC87-3524A059914F", "vulnerable": true}, {"criteria": "cpe:2.3:a:bea:weblogic_server:8.1:*:express:*:*:*:*:*", "matchCriteriaId": "ADED8968-EA9C-4F0E-AD2F-BC834F4D8A58", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application."}, {"lang": "es", "value": "BEA WebLogic Server y WebLocic Express 7.0 hasta SP5 y 8.1 hasta SP2, cuando se edita weblogic.xml usando WebLocic Builder o el m\u00e9todo SecurityRoleAssignmentMBean.toXML, quita de manera inadvertida etiquetas de asignaci\u00f3n de papel de seguridad cuando weblogic.xml no tiene una etiqueta de nombre principal, lo que puede eliminar las restricciones de acceso pretendidas para la aplicaci\u00f3n web asociada."}], "id": "CVE-2004-0470", "lastModified": "2017-07-11T01:30:11.150", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2004-07-07T04:00:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/11593"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1010128"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/950070"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/6076"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/10328"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16123"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}