Access Control Flaw in IBM FileNet Content Manager Affects IBM and Oracle Products
CVE-2009-1953

Currently unrated

Key Information:

Vendor: IBM
Status: Filenet Content Manager
Vendor: CVE Published:; 8 June 2009

Summary

An access control vulnerability exists in IBM FileNet Content Manager 4.0, 4.0.1, and 4.5, particularly when integrated with IBM WebSphere Application Server and Oracle BEA WebLogic Application Server. When the CE Web Services listener is configured with a specific WSEAF setting, it fails to properly restrict the utilization of a cached Subject. This flaw could allow remote attackers to leverage cached credentials from a recently authenticated user, potentially granting them unauthorized access to sensitive information or functionalities. Safeguarding proper configurations and applying security patches is crucial to mitigate this risk.

References

http://www.securityfocus.com/bid/35228

vdb-entryx_refsource_BID

http://secunia.com/advisories/35347

third-party-advisoryx_refsource_SECUNIA

http://www.vupen.com/english/advisories/2009/1512

vdb-entryx_refsource_VUPEN

Timeline

Vulnerability published
Jun 8, 2009
Vulnerability Reserved
Jun 6, 2009