CVE-2004-0470
https://notcve.org/view.php?id=CVE-2004-0470
BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application. BEA WebLogic Server y WebLocic Express 7.0 hasta SP5 y 8.1 hasta SP2, cuando se edita weblogic.xml usando WebLocic Builder o el método SecurityRoleAssignmentMBean.toXML, quita de manera inadvertida etiquetas de asignación de papel de seguridad cuando weblogic.xml no tiene una etiqueta de nombre principal, lo que puede eliminar las restricciones de acceso pretendidas para la aplicación web asociada. • http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp http://secunia.com/advisories/11593 http://securitytracker.com/id?1010128 http://www.kb.cert.org/vuls/id/950070 http://www.osvdb.org/6076 http://www.securityfocus.com/bid/10328 https://exchange.xforce.ibmcloud.com/vulnerabilities/16123 •
CVE-2004-1758
https://notcve.org/view.php?id=CVE-2004-1758
BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges. • http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_53.00.jsp http://secunia.com/advisories/11357 http://securitytracker.com/id?1009764 http://www.kb.cert.org/vuls/id/920238 http://www.osvdb.org/5297 http://www.securityfocus.com/bid/10131 https://exchange.xforce.ibmcloud.com/vulnerabilities/15860 •
CVE-2004-1756
https://notcve.org/view.php?id=CVE-2004-1756
BEA WebLogic Server and WebLogic Express 8.1 SP2 and earlier, and 7.0 SP4 and earlier, when using 2-way SSL with a custom trust manager, may accept a certificate chain even if the trust manager rejects it, which allows remote attackers to spoof other users or servers. • http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_54.00.jsp http://secunia.com/advisories/11358 http://securitytracker.com/id?1009765 http://www.kb.cert.org/vuls/id/566390 http://www.securityfocus.com/bid/10132 https://exchange.xforce.ibmcloud.com/vulnerabilities/15862 •
CVE-2003-1438
https://notcve.org/view.php?id=CVE-2003-1438
Race condition in BEA WebLogic Server and Express 5.1 through 7.0.0.1, when using in-memory session replication or replicated stateful session beans, causes the same buffer to be provided to two users, which could allow one user to see session data that was intended for another user. • http://dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-26.01.jsp http://www.securityfocus.com/bid/6717 http://www.securitytracker.com/id?1006018 https://exchange.xforce.ibmcloud.com/vulnerabilities/11221 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2003-1093
https://notcve.org/view.php?id=CVE-2003-1093
BEA WebLogic Server 6.1, 7.0 and 7.0.0.1, when routing messages to a JMS target domain that is inaccessible, may leak the user's password when it throws a ResourceAllocationException. • http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-24.jsp http://www.kb.cert.org/vuls/id/331937 http://www.securityfocus.com/bid/6586 https://exchange.xforce.ibmcloud.com/vulnerabilities/11057 •