Vulnerability CVE-2008-5115 - CERT Civis.Net

Vulnerability Name:

CVE-2008-5115 (CCN-46553)

Assigned:

2008-11-11

Published:

2008-11-11

Updated:

2018-10-11

Summary:

Cross-site request forgery (CSRF) vulnerability in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to hijack the authentication of administrators for requests that update the password via idm/admin/changeself.jsp.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2008-5115

Source: OSVDB
Type: UNKNOWN
49766

Source: CCN
Type: SA32606
Sun Java System Identity Manager Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
32606

Source: CCN
Type: SECTRACK ID: 1021170
Sun Java System Identity Manager Bugs Permit Cross-Site Scripting and Cross-Site Request Forgery Attacks and Disclose Files to Remote Users

Source: SUNALERT
Type: Patch, Vendor Advisory
243386

Source: CCN
Type: Sun Alert ID: 243386
Multiple Security Vulnerabilities in Sun Java System Identity Manager

Source: CCN
Type: ASA-2008-453
Multiple Security Vulnerabilities in Sun Java System Identity Manager (Sun 243386)

Source: CCN
Type: OSVDB ID: 49766
Sun Java System Identity Manager Admin /idm/admin/changeself.jsp Update Password CSRF

Source: MISC
Type: UNKNOWN
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr07-11

Source: BUGTRAQ
Type: UNKNOWN
20081119 PR07-11: Cross-site Request Forgery (CSRF) on Sun Java System Identity Manager

Source: BID
Type: UNKNOWN
32262

Source: CCN
Type: BID-32262
Sun Java System Identity Manager Multiple Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1021170

Source: CCN
Type: Sun Web site
Sun Identity Manager

Source: VUPEN
Type: UNKNOWN
ADV-2008-3128

Source: XF
Type: UNKNOWN
sun-jsim-unspecified-csrf(46553)

Source: XF
Type: UNKNOWN
sun-jsim-unspecified-csrf(46553)

Vulnerable Configuration:

Configuration 1:

cpe:/a:sun:java_system_identity_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:6.0:sp1:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:6.0:sp2:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:6.0:sp3:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:6.0:sp4:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:7.0:*:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:7.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:sun:java_system_identity_manager:6.0:*:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:7.0:*:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:7.1:*:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:6.0:sp1:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:6.0:sp2:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:6.0:sp3:*:*:*:*:*:*

OR cpe:/a:sun:java_system_identity_manager:6.0:sp4:*:*:*:*:*:*

Denotes that component is vulnerable