CVE-2009-4188

HP Operations Dashboard 2.1 - Portal Default Manager Account Remote Security

Severity Score

10.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

HP Operations Dashboard has a default password of j2deployer for the j2deployer account, which allows remote attackers to execute arbitrary code via a session that uses the manager role to conduct unrestricted file upload attacks against the /manager servlet in the Tomcat servlet container. NOTE: this might overlap CVE-2009-3098.

HP Operations Dashboard tiene una contraseña por defecto "j2deployer" en la cuenta j2deployer, lo que permite a atacantes remotos ejecutar código arbitrario a atraves de una sesión que utilice el perfil manager para dirigir ataque de subida de ficheros sin restricción contra el servlet de manager en el repositorio de servlets de Tomcat. NOTA: Esta vulnerabilidad podria solaparse con CVE-2009-3098.

*Credits: N/A

CVSS Scores

NISTv2 10.0

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-09-03 First Exploit
2009-12-03 CVE Reserved
2009-12-03 CVE Published
2024-09-16 CVE Updated
2024-09-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-255: Credentials Management Errors

CAPEC

References (6)

URL	Tag	Source
http://www.intevydis.com/blog/?p=87	X_refsource_misc
http://www.securityfocus.com/bid/36258	Vdb Entry
http://www-01.ibm.com/support/docview.wss?uid=swg21419179
http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html

URL	Date	SRC
https://www.exploit-db.com/exploits/33211	2009-09-03
https://www.exploit-db.com/exploits/16317	2010-12-14

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hp Search vendor "Hp"		Operations Dashboard Search vendor "Hp" for product "Operations Dashboard"				*		-		Affected