Vulnerability Note VU#470470
BEA WebLogic Server fails to properly associate re-created groups
WebLogic Server contains a vulnerability that could result in the creation of new groups inheriting the privileges of a previously deleted group if members of the deleted group still exist.
BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." The WebLogic Authentication provider is the default authentication mechanism and allows system administrators to manage users and group memberships. Under certain circumstances, members of one group may be unintentionally granted the privileges of a legacy group. If the legacy group had administrative access, then the new group would also inherit these privileges.
According to the BEA Security Advisory,
2. The system administrator then creates a second group (for example, Group2).
The BEA Security Advisory states that the following versions of WebLogic Server and Express are affected by this vulnerability:
A group of users may be unintentionally granted administrative privileges.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|BEA Systems Inc.||Affected||-||16 Apr 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by BEA Systems Inc.
This document was written by Damon Morda.
- CVE IDs: Unknown
- Date Public: 14 Apr 2004
- Date First Published: 16 Apr 2004
- Date Last Updated: 19 Apr 2004
- Severity Metric: 0.52
- Document Revision: 20
If you have feedback, comments, or additional information about this vulnerability, please send us email.