This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Sun First view 2007-10-01
Product Java System Access Manager Last view 2009-08-07
Version 7.1 Type Application
Update *  
Edition windows  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:sun:java_system_access_manager

Activity : Overall

Related : CVE

  Date Alert Description
4.3 2009-08-07 CVE-2009-2713

The CDCServlet component in Sun Java System Access Manager 7.0 2005Q4 and 7.1, when Cross Domain Single Sign On (CDSSO) is enabled, does not ensure that "policy advice" is presented to the correct client, which allows remote attackers to obtain sensitive information via unspecified vectors.

2.1 2009-08-07 CVE-2009-2712

Sun Java System Access Manager 6.3 2005Q1, 7.0 2005Q4, and 7.1; and OpenSSO Enterprise 8.0; when AMConfig.properties enables the debug flag, allows local users to discover cleartext passwords by reading debug files.

2.6 2009-07-01 CVE-2009-2268

Cross-site scripting (XSS) vulnerability in the Cross-Domain Controller (CDC) servlet in Sun Java System Access Manager 6 2005Q1, 7 2005Q4, and 7.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

9 2009-01-16 CVE-2009-0169

Sun Java System Access Manager 7.1 allows remote authenticated sub-realm administrators to gain privileges, as demonstrated by creating the amadmin account in the sub-realm, and then logging in as amadmin in the root realm.

4.3 2008-03-07 CVE-2008-1204

Multiple cross-site scripting (XSS) vulnerabilities in the Administration Console in Sun Java System Access Manager 7.1 and 7 2005Q4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the (1) Help and (2) Version windows.

6.8 2007-10-01 CVE-2007-5153

Unspecified vulnerability in Sun Java System Access Manager 7.1, when installed in a Sun Java System Application Server 8.x container, allows remote attackers to execute arbitrary code via unspecified vectors.

7.5 2007-10-01 CVE-2007-5152

Sun Java System Access Manager 7.1, when installed in a Sun Java System Application Server 9.1 container, does not demand authentication after a container restart, which allows remote attackers to perform administrative tasks.

CWE : Common Weakness Enumeration

%idName
33% (2) CWE-264 Permissions, Privileges, and Access Controls
33% (2) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
16% (1) CWE-287 Improper Authentication
16% (1) CWE-94 Failure to Control Generation of Code ('Code Injection')

Open Source Vulnerability Database (OSVDB)

id Description
56816 Sun Java System Access Manager CDCServlet Component CDSSO Unspecified Informa...
56815 Sun Java System Access Manager AMConfig.properties com.iplanet.services.debug...
55451 Sun Java System Access Manager Cross-Domain Controller (CDC) Unspecified XSS
51382 Sun Java System Access Manager Unspecified Privilege Escalation
42612 Sun Java System Access Manager Administration Console Version Window XSS
42611 Sun Java System Access Manager Administration Console Help Window XSS
37758 Sun Java System Access Manager Container Restart Authentication Bypass
37757 Sun Java System Access Manager Unspecified Remote Code Execution

OpenVAS Exploits

id Description
2009-08-26 Name : Sun Java System Access Manager Information Disclosure vulnerability
File : nvt/secpod_sjs_access_manager_info_disc_vuln.nasl
2009-08-26 Name : Sun JS Access Manager And OpenSSO Information Disclosure vulnerability
File : nvt/secpod_sjs_am_n_opensso_info_disc_vuln.nasl

Information Assurance Vulnerability Management (IAVM)

id Description
2009-T-0007 Multiple Sun Java System Access Manager Vulnerabilities
Severity: Category II - VMSKEY: V0018223

Nessus® Vulnerability Scanner

id Description
2009-04-23 Name: The remote host is missing Sun Security Patch number 120954-12
File: solaris10_120954.nasl - Type: ACT_GATHER_INFO
2009-04-23 Name: The remote host is missing Sun Security Patch number 120955-12
File: solaris10_x86_120955.nasl - Type: ACT_GATHER_INFO
2009-04-23 Name: The remote host is missing Sun Security Patch number 120954-12
File: solaris8_120954.nasl - Type: ACT_GATHER_INFO
2009-04-23 Name: The remote host is missing Sun Security Patch number 120954-12
File: solaris9_120954.nasl - Type: ACT_GATHER_INFO
2009-04-23 Name: The remote host is missing Sun Security Patch number 120955-12
File: solaris9_x86_120955.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris10_119465.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris10_x86_119465.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris8_119465.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris8_x86_119465.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris9_119465.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris9_x86_119465.nasl - Type: ACT_GATHER_INFO