fkie_cve-2008-0900
Vulnerability from fkie_nvd
Published
2008-02-22 21:44
Modified
2025-04-09 00:30
Severity ?
Summary
Session fixation vulnerability in BEA WebLogic Server and Express 8.1 SP4 through SP6, 9.2 through MP1, and 10.0 allows remote authenticated users to hijack web sessions via unknown vectors.
References
cve@mitre.orghttp://dev2dev.bea.com/pub/advisory/270Patch
cve@mitre.orghttp://secunia.com/advisories/29041
cve@mitre.orghttp://www.securitytracker.com/id?1019439
cve@mitre.orghttp://www.vupen.com/english/advisories/2008/0612/references
af854a3a-2127-422b-91ae-364da2661108http://dev2dev.bea.com/pub/advisory/270Patch
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/29041
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id?1019439
af854a3a-2127-422b-91ae-364da2661108http://www.vupen.com/english/advisories/2008/0612/references
Impacted products
Vendor Product Version
bea weblogic_server 8.1
bea weblogic_server 8.1
bea weblogic_server 8.1
bea weblogic_server 8.1
bea weblogic_server 8.1
bea weblogic_server 8.1
bea weblogic_server 9.2
bea weblogic_server 9.2
bea weblogic_server 10.0
bea_systems weblogic_express 9.2
bea_systems weblogic_express 10.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bea:weblogic_server:8.1:sp4:*:*:*:*:*:*",
              "matchCriteriaId": "0653ACAC-B0D9-4381-AB23-11D24852A414",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bea:weblogic_server:8.1:sp4:express:*:*:*:*:*",
              "matchCriteriaId": "107C2FC6-BC60-4817-8A21-14C81DA6DEF5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bea:weblogic_server:8.1:sp5:*:*:*:*:*:*",
              "matchCriteriaId": "2A489A8E-D3AE-42DF-8DCF-5A9EF10778FA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bea:weblogic_server:8.1:sp5:express:*:*:*:*:*",
              "matchCriteriaId": "24E0BA12-971C-4DC4-8ED2-9B7DCD6390E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bea:weblogic_server:8.1:sp6:*:*:*:*:*:*",
              "matchCriteriaId": "7A75A7F9-A99A-4C8E-9867-71FA8A55DD70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bea:weblogic_server:8.1:sp6:express:*:*:*:*:*",
              "matchCriteriaId": "715D1DD4-A736-4F55-9369-71C232AB14CC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bea:weblogic_server:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7BA8C449-ECD0-46E5-A7D6-740DE8DEE0EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bea:weblogic_server:9.2:mp1:*:*:*:*:*:*",
              "matchCriteriaId": "321BC193-5FBF-4F25-996D-1FE74779F34D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bea:weblogic_server:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "60F9ABCC-5217-4650-8C71-F8B0EB86789F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bea_systems:weblogic_express:9.2:mp1:*:*:*:*:*:*",
              "matchCriteriaId": "FF045092-39D3-4598-99DA-D1B35F0DDC3C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bea_systems:weblogic_express:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "61231482-5CC5-4C23-AA48-11E24FB6C94F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Session fixation vulnerability in BEA WebLogic Server and Express 8.1 SP4 through SP6, 9.2 through MP1, and 10.0 allows remote authenticated users to hijack web sessions via unknown vectors."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en BEA WebLogic Server y Express de 8.1 SP4 a SP6, de 9.2 a MP1 y 10.0 permite a usuarios autentificados remotamente secuestrar sesiones web a trav\u00e9s de vectores desconocidos."
    }
  ],
  "id": "CVE-2008-0900",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": true,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2008-02-22T21:44:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://dev2dev.bea.com/pub/advisory/270"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/29041"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securitytracker.com/id?1019439"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2008/0612/references"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://dev2dev.bea.com/pub/advisory/270"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/29041"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1019439"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2008/0612/references"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.