Password Change Vulnerability in Sun Java System Identity Manager by Sun Microsystems
CVE-2009-1077

Currently unrated

Key Information:

Vendor: Oracle
Status: Java System Identity Manager
Vendor: CVE Published:; 25 March 2009

Summary

The Change My Password feature in the admin interface of Sun Java System Identity Manager versions 7.0 and 8.0 lacks proper enforcement of the RequiresChallenge property setting. This oversight permits remote authenticated users to change passwords of other accounts without required verifications. An example highlighted is the ability to change an administrator's password, posing a significant security threat and potential for abuse if exploited.

References

http://sunsolve.sun.com/search/document.do?assetkey=1-21-...

x_refsource_CONFIRM

http://sunsolve.sun.com/search/document.do?assetkey=1-66-...

vendor-advisoryx_refsource_SUNALERT

http://sunsolve.sun.com/search/document.do?assetkey=1-21-...

x_refsource_CONFIRM

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Mar 25, 2009