Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-1077

Overview

Vulnerability Score 6.5 6.5
CVE Id CVE-2009-1077
Last Modified 06 Oct 2009 12:00:00
Published 25 Mar 2009 11:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2009-1077

Summary

The Change My Password implementation in the admin interface in Sun Java System Identity Manager (IdM) 7.0 through 8.0 does not enforce the RequiresChallenge property setting, which allows remote authenticated users to change the passwords of other users, as demonstrated by changing the administrator's password.

Vulnerable Systems

Application

  • Sun Java System Identity Manager 7.0

  • Sun Java System Identity Manager 7.1

  • Sun Java System Identity Manager 7.1.1

  • Sun Java System Identity Manager 8.0


References

BID - 34191

SUNALERT - 253267

CONFIRM - http://sunsolve.sun.com/search/document.do?assetkey=1-21-140936-01-1

CONFIRM - http://sunsolve.sun.com/search/document.do?assetkey=1-21-140935-01-1

CONFIRM - http://sunsolve.sun.com/search/document.do?assetkey=1-21-139010-06-1

CONFIRM - http://sunsolve.sun.com/search/document.do?assetkey=1-21-137621-11-1

CONFIRM - http://blogs.sun.com/security/entry/sun_alert_253267_sun_java

VUPEN - ADV-2009-0797

SECTRACK - 1021881

SECUNIA - 34380


Last Updated: 27 May 2016 10:50:27