| Vulnerability Name: | CVE-2006-2469 (CCN-26463) | ||||||||
| Assigned: | 2006-05-15 | ||||||||
| Published: | 2006-05-15 | ||||||||
| Updated: | 2017-07-20 | ||||||||
| Summary: | The HTTP handlers in BEA WebLogic Server 9.0, 8.1 up to SP5, 7.0 up to SP6, and 6.1 up to SP7 stores the username and password in cleartext in the WebLogic Server log when access to a web application or protected JWS fails, which allows attackers to gain privileges. | ||||||||
| CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||
| Vulnerability Type: | CWE-Other | ||||||||
| Vulnerability Consequences: | Other | ||||||||
| References: | Source: MITRE Type: CNA CVE-2006-2469 Source: BEA Type: Patch, Vendor Advisory BEA06-127.00 Source: CCN Type: SA20130 BEA WebLogic Server/Express Multiple Security Issues Source: SECUNIA Type: Patch, Vendor Advisory 20130 Source: CCN Type: SECTRACK ID: 1016098 WebLogic Server Records Failed User Passwords in the Server Log File Source: SECTRACK Type: UNKNOWN 1016098 Source: CCN Type: OSVDB ID: 25550 BEA WebLogic Server Log Cleartext Authentication Credential Disclosure Source: CCN Type: BID-17982 BEA WebLogic Multiple Vulnerabilities Source: VUPEN Type: UNKNOWN ADV-2006-1828 Source: XF Type: UNKNOWN weblogic-server-log-password-cleartext(26463) Source: XF Type: UNKNOWN weblogic-server-log-password-cleartext(26463) Source: CCN Type: BEA Systems Inc. Security Advisory: (BEA06-127.00) WebLogic Server HTTP handlers log username and password on failure | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||