CVE-2007-2700
https://notcve.org/view.php?id=CVE-2007-2700
The WLST script generated by the configToScript command in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not encrypt certain attributes in configuration files when creating a new domain, which allows remote authenticated users to obtain sensitive information. La secuencia de comandos (script) WLST generada por el comando configToScript en BEA WebLogic Express y WebLogic Server 9.0 y 9.1 no cifra determinados atributos en los ficheros de configuración cuando crea un nuevo dominio, lo cual permite a usuarios remotos autenticados obtener información sensible. • http://dev2dev.bea.com/pub/advisory/233 http://osvdb.org/36068 http://secunia.com/advisories/25284 http://securitytracker.com/id?1018057 http://www.vupen.com/english/advisories/2007/1815 https://exchange.xforce.ibmcloud.com/vulnerabilities/34288 •
CVE-2007-2695
https://notcve.org/view.php?id=CVE-2007-2695
The HttpClusterServlet and HttpProxyServlet in BEA WebLogic Express and WebLogic Server 6.1 through SP7, 7.0 through SP7, 8.1 through SP5, 9.0, and 9.1, when SecureProxy is enabled, may process "external requests on behalf of a system identity," which allows remote attackers to access administrative data or functionality. Los servlets HttpClusterServlet y HttpProxyServlet en BEA WebLogic Express y WebLogic Server 6.1 hasta SP7, 7.0 hasta SP7, 8.1 hasta SP5, 9.0, y 9.1, cuando SecureProxy está habitilitado, pueden procesar "peticiones externas de parte de una identidad de sistema", lo cual permite a atacantes remotos acceder a datos o funcionalidades de administración. • http://dev2dev.bea.com/pub/advisory/227 http://dev2dev.bea.com/pub/advisory/274 http://osvdb.org/36074 http://secunia.com/advisories/25284 http://secunia.com/advisories/29041 http://securitytracker.com/id?1018057 http://www.vupen.com/english/advisories/2007/1815 http://www.vupen.com/english/advisories/2008/0612/references https://exchange.xforce.ibmcloud.com/vulnerabilities/34282 •
CVE-2007-0411
https://notcve.org/view.php?id=CVE-2007-0411
BEA WebLogic Server 8.1 through 8.1 SP5, 9.0, 9.1, and 9.2 Gold, when WS-Security is used, does not properly validate certificates, which allows remote attackers to conduct a man-in-the-middle (MITM) attack. BEA WebLogic Server 8.1 hasta 8.1 SP5, 9.0, 9.1, y 9.2 Gold, cuando WS-Security es utilizado, no valida certificados adecuadamente, lo cual permite a atacantes remotos llevar a cabo ataques de hombre en el medio (MITM, man-in-the-middle). • http://dev2dev.bea.com/pub/advisory/205 http://osvdb.org/38503 http://secunia.com/advisories/23750 http://securitytracker.com/id?1017525 http://www.securityfocus.com/bid/22082 http://www.vupen.com/english/advisories/2007/0213 •
CVE-2007-0418
https://notcve.org/view.php?id=CVE-2007-0418
BEA WebLogic Server 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1 does not enforce a security policy that declares permissions for EJB methods that have array parameters, which allows remote attackers to obtain unauthorized access to these methods. BEA WebLogic Server 7.0 hasta 7.0 SP6, 8.1 hasta 8.1 SP5, 9.0, y 9.1 no hace cmplir las políticas de seguridad que declara los permisos para los métodos EJB que tienen parámetros array, lo cual permite a atacantes remotos obtener acceso no autorizado a estos métodos. • http://dev2dev.bea.com/pub/advisory/212 http://osvdb.org/38512 http://secunia.com/advisories/23750 http://securitytracker.com/id?1017525 http://www.securityfocus.com/bid/22082 http://www.vupen.com/english/advisories/2007/0213 •
CVE-2007-0410
https://notcve.org/view.php?id=CVE-2007-0410
Unspecified vulnerability in the thread management in BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1, when T3 authentication is used, allows remote attackers to cause a denial of service (thread and system hang) via unspecified "sequences of events." Vulnerabilidad no especificada en la administración de hilos en BEA WebLogic 7.0 hasta 7.0 SP6, 8.1 hasta 8.1 SP5, 9.0, y 9.1, cuando se usa la autenticación T3, permite a atacantes remotos provocar una denegación de servicio (cuelgue de hilo y de sistema) mediante "secuencias de eventos" no especificadas. • http://dev2dev.bea.com/pub/advisory/204 http://osvdb.org/38502 http://secunia.com/advisories/23750 http://securitytracker.com/id?1017525 http://www.securityfocus.com/bid/22082 http://www.vupen.com/english/advisories/2007/0213 •