Vulnerability Name:

CVE-2009-1082 (CCN-49616)

Assigned:2009-03-19
Published:2009-03-19
Updated:2009-03-25
Summary:Sun Java System Identity Manager (IdM) 7.0 through 8.0 allows remote authenticated users to gain privileges by submitting crafted commands to the Admin Console, as demonstrated by privileges for account creation and other administrative capabilities, related to the saveNoValidate action and saveNoValidateAllowedFormsAndWorkflows IDs.
CVSS v3 Severity:4.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
6.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.0 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
4.4 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Access
References:Source: CONFIRM
Type: Vendor Advisory
http://blogs.sun.com/security/entry/sun_alert_253267_sun_java

Source: MITRE
Type: CNA
CVE-2009-1082

Source: CCN
Type: SA34380
Sun Java System Identity Manager Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
34380

Source: CCN
Type: SECTRACK ID: 1021881
Sun Java System Identity Manager Bugs Let Local and Remote Users Gain Privileges

Source: SECTRACK
Type: UNKNOWN
1021881

Source: CONFIRM
Type: Patch
http://sunsolve.sun.com/search/document.do?assetkey=1-21-137621-11-1

Source: CONFIRM
Type: UNKNOWN
http://sunsolve.sun.com/search/document.do?assetkey=1-21-139010-06-1

Source: CONFIRM
Type: Patch
http://sunsolve.sun.com/search/document.do?assetkey=1-21-140935-01-1

Source: CONFIRM
Type: Patch
http://sunsolve.sun.com/search/document.do?assetkey=1-21-140936-01-1

Source: CCN
Type: Sun Alert ID: 253267
Sun Java System Identity Manager Security Vulnerabilities

Source: SUNALERT
Type: Vendor Advisory
253267

Source: CCN
Type: OSVDB ID: 53152
Sun Java System Identity Manager Admin Console Crafted Command Privilege Escalation

Source: BID
Type: Patch
34191

Source: CCN
Type: BID-34191
Sun Java System Identity Manager Multiple Vulnerabilities

Source: VUPEN
Type: Vendor Advisory
ADV-2009-0797

Source: XF
Type: UNKNOWN
jsim-adminconsole-priv-escalation(49616)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sun:java_system_identity_manager:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_system_identity_manager:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_system_identity_manager:7.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_system_identity_manager:8.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:sun:java_system_identity_manager:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_system_identity_manager:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_system_identity_manager:7.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_system_identity_manager:8.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sun java system identity manager 7.0
    sun java system identity manager 7.1
    sun java system identity manager 7.1.1
    sun java system identity manager 8.0
    sun java system identity manager 7.0
    sun java system identity manager 7.1
    sun java system identity manager 7.1.1
    sun java system identity manager 8.0