CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2010-0066
https://notcve.org/view.php?id=CVE-2010-0066
Unspecified vulnerability in the Access Manager Identity Server component in Oracle Application Server 7.0.4.3 and 10.1.4.2 allows remote attackers to affect integrity via unknown vectors. vulnerabilidad inespecífica en el componente Access Manager Identity Server en Oracle Application Server v7.0.4.3 y v10.1.4.2 permite a atacantes remotos influir en la integridad a través de vectores desconocidos. • http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html http://www.securitytracker.com/id?1023438 http://www.us-cert.gov/cas/techalerts/TA10-012A.html •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2009-3407
https://notcve.org/view.php?id=CVE-2009-3407
Unspecified vulnerability in the Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 allows remote attackers to affect integrity via unknown vectors, a different vulnerability than CVE-2009-0974 and CVE-2009-0983. Vulnerabilidad no especificada en el componente Portal en Oracle Application Server 10.1.2.3 y 10.1.4.2 permite a atacantes remotos afectar la integridad a través de vectores desconocidos, una vulnerabilidad diferente a CVE-2009-0974 y CVE-2009-0983. • http://osvdb.org/59116 http://secunia.com/advisories/37099 http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html http://www.securityfocus.com/bid/36753 http://www.securitytracker.com/id?1023058 http://www.us-cert.gov/cas/techalerts/TA09-294A.html •
CVSS: 5.0EPSS: 97%CPEs: 93EXPL: 0CVE-2009-0217 – xml-security-1.3.0-1jpp.ep1.*: XMLDsig HMAC-based signatures spoofing and authentication bypass
https://notcve.org/view.php?id=CVE-2009-0217
The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. El diseño de la recomendación de W3C XML Signature Syntax and Processing (XMLDsig), tal y como es implementado en productos que incluyen (1) el componente Oracle Security Developer Tools de Application Server de Oracle en versiones 10.1.2.3, 10.1.3.4 y 10.1.4.3IM; (2) el componente WebLogic Server de Product Suite de BEA en las versiones 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0 y 8.1 SP6; (3) Mono anterior a versión 2.4.2.2; (4) XML Security Library anterior a versión 1.2.12; (5) WebSphere Application Server de IBM versiones 6.0 hasta 6.0.2.33, versiones 6.1 hasta 6.1.0.23 y versiones 7.0 hasta 7.0.0.1; (6) JDK y JRE de Sun Update 14 y versiones anteriores; (7) .NET Framework de Microsoft versiones 3.0 hasta 3.0 SP2, versiones 3.5 y 4.0; y otros productos utilizan un parámetro que define una longitud de truncamiento HMAC (HMACOutputLength) pero no requiere un mínimo para esta longitud, lo que permite a los atacantes suplantar firmas basadas en HMAC y omitir la autenticación mediante la especificación de una longitud de truncamiento con un pequeño número de bits. • http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161 http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7 http://git.gnome.org/cgit/xmlsec/patch/?id=34b349675af9f72eb822837a8772cc1ead7115c7 http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00005.html http://marc.info/?l=bugtraq&m=125787273209737&w=2 •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2009-0983
https://notcve.org/view.php?id=CVE-2009-0983
Unspecified vulnerability in the Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 allows remote attackers to affect integrity via unknown vectors, a different vulnerability than CVE-2009-0974 and CVE-2009-3407. Vulnerabilidad no especificada en el componente Portal en Oracle Application Server 10.1.2.3 y 10.1.4.2 permite a atacantes remotos afectar la integridad a través de vectores desconocidos, una vulnerabilidad diferente de CVE-2009-0974 y CVE-2009-3407. • http://osvdb.org/53752 http://secunia.com/advisories/34693 http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html http://www.securityfocus.com/bid/34461 http://www.securitytracker.com/id?1022055 http://www.us-cert.gov/cas/techalerts/TA09-105A.html •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2009-0974
https://notcve.org/view.php?id=CVE-2009-0974
Unspecified vulnerability in the Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 allows remote attackers to affect integrity via unknown vectors, a different vulnerability than CVE-2009-0983 and CVE-2009-3407. Vulnerabilidad no especificada en el componente Portal en Oracle Application Server 10.1.2.3 y 10.1.4.2 permite a atacantes remotos afectar la integridad a través de vectores desconocidos, una vulnerabilidad diferente a CVE-2009-0983 y CVE-2009-3407. • http://osvdb.org/53751 http://secunia.com/advisories/34693 http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html http://www.securityfocus.com/bid/34461 http://www.securitytracker.com/id?1022055 http://www.us-cert.gov/cas/techalerts/TA09-105A.html •