This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Sun First view 2006-02-03
Product Java System Access Manager Last view 2011-01-19
Version Type Application
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:a:sun:java_system_access_manager:7.1:*:windows:*:*:*:*:* 7
cpe:2.3:a:sun:java_system_access_manager:7.1:*:linux:*:*:*:*:* 5
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_sparc:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_x86:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7.1:*:*:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_sparc:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_sparc:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_x86:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_x86:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_sparc:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_sparc:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_sparc:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_sparc:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_x86:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4:*:windows:*:*:*:*:* 4
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_sparc:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_x86:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_x86:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_linux:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_linux:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_linux:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_sparc:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_linux:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_linux:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_x86:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_x86:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_x86:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_x86:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_linux:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_sparc:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_linux:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_linux:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_linux:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:7.0:*:*:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:7.1:*:hp-ux:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:6.3:*:*:*:*:*:*:* 3
cpe:2.3:a:sun:java_system_access_manager:*:*:*:*:*:*:*:* 2
cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4:*:hp-ux:*:*:*:*:* 2
cpe:2.3:a:sun:java_system_access_manager:7.1:*:war:*:*:*:*:* 2
cpe:2.3:a:sun:java_system_access_manager:7.0:*:linux:*:*:*:*:* 2
cpe:2.3:a:sun:java_system_access_manager:7.0_2005q4:*:*:*:*:*:*:* 1
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_8_windows:*:*:*:*:* 1
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_10_windows:*:*:*:*:* 1
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_9_windows:*:*:*:*:* 1
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_10_windows:*:*:*:*:* 1
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_8_windows:*:*:*:*:* 1
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_10_windows:*:*:*:*:* 1
cpe:2.3:a:sun:java_system_access_manager:7_2005q4:*:solaris_8_windows:*:*:*:*:* 1
cpe:2.3:a:sun:java_system_access_manager:7.1:*:solaris_9_windows:*:*:*:*:* 1
cpe:2.3:a:sun:java_system_access_manager:6.3_2005q1:*:solaris_9_windows:*:*:*:*:* 1

Related : CVE

  Date Alert Description
6.8 2011-01-19 CVE-2010-4444

Unspecified vulnerability in Oracle Sun Java System Access Manager and Oracle OpenSSO 7, 7.1, and 8 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

4.3 2009-08-07 CVE-2009-2713

The CDCServlet component in Sun Java System Access Manager 7.0 2005Q4 and 7.1, when Cross Domain Single Sign On (CDSSO) is enabled, does not ensure that "policy advice" is presented to the correct client, which allows remote attackers to obtain sensitive information via unspecified vectors.

2.1 2009-08-07 CVE-2009-2712

Sun Java System Access Manager 6.3 2005Q1, 7.0 2005Q4, and 7.1; and OpenSSO Enterprise 8.0; when AMConfig.properties enables the debug flag, allows local users to discover cleartext passwords by reading debug files.

2.6 2009-07-01 CVE-2009-2268

Cross-site scripting (XSS) vulnerability in the Cross-Domain Controller (CDC) servlet in Sun Java System Access Manager 6 2005Q1, 7 2005Q4, and 7.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

5 2009-01-29 CVE-2009-0348

The login module in Sun Java System Access Manager 6 2005Q1 (aka 6.3), 7 2005Q4 (aka 7.0), and 7.1 responds differently to a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.

6 2009-01-16 CVE-2009-0170

Sun Java System Access Manager 6.3 2005Q1, 7 2005Q4, and 7.1 allows remote authenticated users with console privileges to discover passwords, and obtain unspecified other "access to resources," by visiting the Configuration Items component in the console.

9 2009-01-16 CVE-2009-0169

Sun Java System Access Manager 7.1 allows remote authenticated sub-realm administrators to gain privileges, as demonstrated by creating the amadmin account in the sub-realm, and then logging in as amadmin in the root realm.

7.5 2008-06-30 CVE-2008-2945

Sun Java System Access Manager 6.3 through 7.1 and Sun Java System Identity Server 6.1 and 6.2 do not properly process XSLT stylesheets in XSLT transforms in XML signatures, which allows context-dependent attackers to execute arbitrary code via a crafted stylesheet, a related issue to CVE-2007-3715, CVE-2007-3716, and CVE-2007-4289.

9.3 2008-06-16 CVE-2008-2705

Unspecified vulnerability in Sun Java System Access Manager (AM) 7.1, when used with certain versions and configurations of Sun Directory Server Enterprise Edition (DSEE), allows remote attackers to bypass authentication via unspecified vectors.

4.3 2008-03-07 CVE-2008-1204

Multiple cross-site scripting (XSS) vulnerabilities in the Administration Console in Sun Java System Access Manager 7.1 and 7 2005Q4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the (1) Help and (2) Version windows.

6.8 2007-10-01 CVE-2007-5153

Unspecified vulnerability in Sun Java System Access Manager 7.1, when installed in a Sun Java System Application Server 8.x container, allows remote attackers to execute arbitrary code via unspecified vectors.

7.5 2007-10-01 CVE-2007-5152

Sun Java System Access Manager 7.1, when installed in a Sun Java System Application Server 9.1 container, does not demand authentication after a container restart, which allows remote attackers to perform administrative tasks.

1.7 2007-07-11 CVE-2007-3700

Sun Java System Access Manager (formerly Java System Identity Server) before 20070710, when the message debug level is configured in the com.iplanet.services.debug.level property in AMConfig.properties, logs cleartext login passwords, which allows local users to gain privileges by reading /var/opt/SUNWam/debug/amAuth.

4.3 2007-01-31 CVE-2007-0628

Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Access Manager 6.1, 6.2, 6 2005Q1 (6.3), and 7 2005Q4 (7.0) before 20070129 allow remote attackers to inject arbitrary web script or HTML via the (1) goto or (2) gx-charset parameter. NOTE: some of these details are obtained from third party information.

7.2 2006-02-03 CVE-2006-0531

Unspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool.

CWE : Common Weakness Enumeration

%idName
27% (3) CWE-264 Permissions, Privileges, and Access Controls
18% (2) CWE-287 Improper Authentication
18% (2) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
9% (1) CWE-255 Credentials Management
9% (1) CWE-200 Information Exposure
9% (1) CWE-94 Failure to Control Generation of Code ('Code Injection')
9% (1) CWE-20 Improper Input Validation

Oval Markup Language : Definitions

OvalID Name
oval:org.mitre.oval:def:755 Sun Java System Access Manager Local Authentication Bypass Vulnerability
oval:org.mitre.oval:def:360 Sun Java System Access Manager Local Authentication Bypass Vulnerability

Open Source Vulnerability Database (OSVDB)

id Description
70580 Oracle OpenSSO Unspecified Remote Issue
70579 Sun Java System Access Manager Unspecified Remote Issue
56816 Sun Java System Access Manager CDCServlet Component CDSSO Unspecified Informa...
56815 Sun Java System Access Manager AMConfig.properties com.iplanet.services.debug...
55451 Sun Java System Access Manager Cross-Domain Controller (CDC) Unspecified XSS
51666 Sun Java System Access Manager Login Module User Account Enumeration Weakness
51382 Sun Java System Access Manager Unspecified Privilege Escalation
51381 Sun Java System Access Manager Unspecified Password Disclosure
46579 Sun Java System Access Manager XSLT Stylesheet Processing Arbitrary Code Exec...
46149 Sun Java System Access Manager Unspecified Remote Authentication Bypass
42612 Sun Java System Access Manager Administration Console Version Window XSS
42611 Sun Java System Access Manager Administration Console Help Window XSS
37758 Sun Java System Access Manager Container Restart Authentication Bypass
37757 Sun Java System Access Manager Unspecified Remote Code Execution
37249 Sun Java System Access Manager /var/opt/SUNWam/debug/amAuth Cleartext Passwor...
33010 Sun Java System Access Manager Multiple XSS
22914 Sun Java System Access Manager Administrator amadmin Local Privilege Escalation

OpenVAS Exploits

id Description
2011-02-01 Name : Oracle Java Access Manager And OpenSSO Unspecified Vulnerability
File : nvt/secpod_oracle_sam_n_opensso_unspecified_vuln.nasl
2009-08-26 Name : Sun Java System Access Manager Information Disclosure vulnerability
File : nvt/secpod_sjs_access_manager_info_disc_vuln.nasl
2009-08-26 Name : Sun JS Access Manager And OpenSSO Information Disclosure vulnerability
File : nvt/secpod_sjs_am_n_opensso_info_disc_vuln.nasl

Information Assurance Vulnerability Management (IAVM)

id Description
2009-T-0007 Multiple Sun Java System Access Manager Vulnerabilities
Severity: Category II - VMSKEY: V0018223

Nessus® Vulnerability Scanner

id Description
2009-04-23 Name: The remote host is missing Sun Security Patch number 120954-12
File: solaris10_120954.nasl - Type: ACT_GATHER_INFO
2009-04-23 Name: The remote host is missing Sun Security Patch number 120955-12
File: solaris10_x86_120955.nasl - Type: ACT_GATHER_INFO
2009-04-23 Name: The remote host is missing Sun Security Patch number 120954-12
File: solaris8_120954.nasl - Type: ACT_GATHER_INFO
2009-04-23 Name: The remote host is missing Sun Security Patch number 120954-12
File: solaris9_120954.nasl - Type: ACT_GATHER_INFO
2009-04-23 Name: The remote host is missing Sun Security Patch number 120955-12
File: solaris9_x86_120955.nasl - Type: ACT_GATHER_INFO
2009-02-09 Name: The remote web server contains a module that leaks information.
File: amserver_user_enumeration.nasl - Type: ACT_GATHER_INFO
2008-02-05 Name: The remote host is missing Sun Security Patch number 117586-22
File: solaris8_117586.nasl - Type: ACT_GATHER_INFO
2008-02-05 Name: The remote host is missing Sun Security Patch number 117586-22
File: solaris9_117586.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris10_119465.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris10_x86_119465.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 115766-15
File: solaris8_115766.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris8_119465.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris8_x86_119465.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 115766-15
File: solaris9_115766.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris9_119465.nasl - Type: ACT_GATHER_INFO
2006-11-06 Name: The remote host is missing Sun Security Patch number 119465-17
File: solaris9_x86_119465.nasl - Type: ACT_GATHER_INFO