CVSS: 2.1EPSS: 0%CPEs: 3EXPL: 0CVE-2004-2321
https://notcve.org/view.php?id=CVE-2004-2321
BEA WebLogic Server and Express 8.1 SP1 and earlier allows local users in the Operator role to obtain administrator passwords via MBean attributes, including (1) ServerStartMBean.Password and (2) NodeManagerMBean.CertificatePassword. • http://dev2dev.bea.com/pub/advisory/1 http://www.securityfocus.com/bid/9505 http://www.securitytracker.com/alerts/2004/Jan/1008867.html https://exchange.xforce.ibmcloud.com/vulnerabilities/14962 •
CVSS: 5.5EPSS: 0%CPEs: 61EXPL: 0CVE-2004-2696
https://notcve.org/view.php?id=CVE-2004-2696
BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, when using Remote Method Invocation (RMI) over Internet Inter-ORB Protocol (IIOP), does not properly handle when multiple logins for different users coming from the same client, which could cause an "unexpected user identity" to be used in an RMI call. • http://dev2dev.bea.com/pub/advisory/59 http://secunia.com/advisories/11865 http://securitytracker.com/id?1010493 http://www.osvdb.org/7081 http://www.securityfocus.com/bid/10545 https://exchange.xforce.ibmcloud.com/vulnerabilities/16421 • CWE-255: Credentials Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0CVE-2004-0711
https://notcve.org/view.php?id=CVE-2004-0711
The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in "*" as wildcards as if they were the legal "/*" pattern, which could cause WebLogic 7.x to allow remote attackers to bypass intended access restrictions because the illegal patterns are properly rejected. La característica de coincidencia de patrones en URL de WebLogic Server 6.x encuentra coincidencias en patrones ilegales terminados en "*" como comodines como si fueran el patrón legal "/", lo que podría causar que usuarios remotos se saltaran las restricciones de acceso pretendidas porque los patrones ilegales son rechazados adecuadamente. • http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_56.00.jsp http://www.kb.cert.org/vuls/id/184558 http://www.securityfocus.com/bid/10184 https://exchange.xforce.ibmcloud.com/vulnerabilities/15927 •
CVSS: 6.4EPSS: 1%CPEs: 44EXPL: 0CVE-2004-0713
https://notcve.org/view.php?id=CVE-2004-0713
The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown. El método remove en una Enterprise JavaBean (EJB) con estado en BEA WebLogic Server y WebLogic Express version 8.1 hasta SP2, 7.0 hasta SP4, y 6.1 a SP6, no comprueba adecuadamente permisos EJB antes de dejar de exportar una habichuela (bean), lo que permite a usuarios remotos autenticados eliminar objetos EJB de vistas remotas antes de que se lance la excepción de seguridad. • http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_57.00.jsp http://www.kb.cert.org/vuls/id/658878 http://www.securityfocus.com/bid/10185 https://exchange.xforce.ibmcloud.com/vulnerabilities/15928 •
CVSS: 4.6EPSS: 0%CPEs: 9EXPL: 0CVE-2004-0712
https://notcve.org/view.php?id=CVE-2004-0712
The configuration tools (1) config.sh in Unix or (2) config.cmd in Windows for BEA WebLogic Server 8.1 through SP2 create a log file that contains the administrative username and password in cleartext, which could allow local users to gain privileges. Las herramientes de configuracion (1) config.sh en Unix o (2) config.cmd en Windows de BEA WebLogic Server 8.1 a SP2 crean un fichero de registro que contiene el nombre y la contraseña del administrador en texto claro, lo que podría permitir a usuarios locales ganar privilegios. • http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_58.00.jsp http://www.kb.cert.org/vuls/id/574222 http://www.securityfocus.com/bid/10188 https://exchange.xforce.ibmcloud.com/vulnerabilities/15926 •