CVE-2009-1077

Vulnerability Description

The Change My Password implementation in the admin interface in Sun Java System Identity Manager (IdM) 7.0 through 8.0 does not enforce the RequiresChallenge property setting, which allows remote authenticated users to change the passwords of other users, as demonstrated by changing the administrator's password.

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• http://blogs.sun.com/security/entry/sun_alert_253267_sun_javaPatchVendor Advisory
• http://secunia.com/advisories/34380Vendor Advisory
• http://securitytracker.com/id?1021881
• http://sunsolve.sun.com/search/document.do?assetkey=1-21-137621-11-1Patch
• http://sunsolve.sun.com/search/document.do?assetkey=1-21-139010-06-1Patch
• http://sunsolve.sun.com/search/document.do?assetkey=1-21-140935-01-1Patch
• http://sunsolve.sun.com/search/document.do?assetkey=1-21-140936-01-1PatchVendor Advisory
• http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1PatchVendor Advisory
• http://www.securityfocus.com/bid/34191ExploitPatch
• http://www.vupen.com/english/advisories/2009/0797Vendor Advisory
• http://blogs.sun.com/security/entry/sun_alert_253267_sun_javaPatchVendor Advisory
• http://secunia.com/advisories/34380Vendor Advisory
• http://securitytracker.com/id?1021881
• http://sunsolve.sun.com/search/document.do?assetkey=1-21-137621-11-1Patch
• http://sunsolve.sun.com/search/document.do?assetkey=1-21-139010-06-1Patch