Vulnerability Description
BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bea | Weblogic Server | 7.0 |
References
- http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jspPatchVendor Advisory
- http://secunia.com/advisories/11593
- http://securitytracker.com/id?1010128
- http://www.kb.cert.org/vuls/id/950070Third Party AdvisoryUS Government Resource
- http://www.osvdb.org/6076
- http://www.securityfocus.com/bid/10328
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16123
- http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jspPatchVendor Advisory
- http://secunia.com/advisories/11593
- http://securitytracker.com/id?1010128
- http://www.kb.cert.org/vuls/id/950070Third Party AdvisoryUS Government Resource
- http://www.osvdb.org/6076
- http://www.securityfocus.com/bid/10328
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16123
FAQ
What is CVE-2004-0470?
CVE-2004-0470 is a vulnerability with a CVSS score of 7.5 (HIGH). BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes se...
How severe is CVE-2004-0470?
CVE-2004-0470 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2004-0470?
Check the references section above for vendor advisories and patch information. Affected products include: Bea Weblogic Server.