Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2009-0217

Disclosure Date: July 14, 2009
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Vendors

  • ibm,
  • mono project,
  • oracle

Products

  • application server 10.1.2.3,
  • application server 10.1.3.4,
  • application server 10.1.4.3im,
  • bea product suite 10.0,
  • bea product suite 10.3,
  • bea product suite 8.1,
  • bea product suite 9.0,
  • bea product suite 9.1,
  • bea product suite 9.2,
  • mono 1.2.1,
  • mono 1.2.2,
  • mono 1.2.3,
  • mono 1.2.4,
  • mono 1.2.5,
  • mono 1.2.6,
  • mono 1.9,
  • mono 2.0,
  • weblogic server component 10.0,
  • weblogic server component 10.3,
  • weblogic server component 8.1,
  • weblogic server component 9.0,
  • weblogic server component 9.1,
  • weblogic server component 9.2,
  • websphere application server 6.0,
  • websphere application server 6.0.0.1,
  • websphere application server 6.0.0.2,
  • websphere application server 6.0.0.3,
  • websphere application server 6.0.1,
  • websphere application server 6.0.1.1,
  • websphere application server 6.0.1.11,
  • websphere application server 6.0.1.13,
  • websphere application server 6.0.1.15,
  • websphere application server 6.0.1.17,
  • websphere application server 6.0.1.2,
  • websphere application server 6.0.1.3,
  • websphere application server 6.0.1.5,
  • websphere application server 6.0.1.7,
  • websphere application server 6.0.1.9,
  • websphere application server 6.0.2,
  • websphere application server 6.0.2.1,
  • websphere application server 6.0.2.10,
  • websphere application server 6.0.2.11,
  • websphere application server 6.0.2.12,
  • websphere application server 6.0.2.13,
  • websphere application server 6.0.2.14,
  • websphere application server 6.0.2.15,
  • websphere application server 6.0.2.16,
  • websphere application server 6.0.2.17,
  • websphere application server 6.0.2.18,
  • websphere application server 6.0.2.19,
  • websphere application server 6.0.2.2,
  • websphere application server 6.0.2.20,
  • websphere application server 6.0.2.21,
  • websphere application server 6.0.2.22,
  • websphere application server 6.0.2.23,
  • websphere application server 6.0.2.24,
  • websphere application server 6.0.2.25,
  • websphere application server 6.0.2.28,
  • websphere application server 6.0.2.29,
  • websphere application server 6.0.2.3,
  • websphere application server 6.0.2.30,
  • websphere application server 6.0.2.31,
  • websphere application server 6.0.2.32,
  • websphere application server 6.0.2.33,
  • websphere application server 6.1,
  • websphere application server 6.1.0,
  • websphere application server 6.1.0.0,
  • websphere application server 6.1.0.1,
  • websphere application server 6.1.0.10,
  • websphere application server 6.1.0.11,
  • websphere application server 6.1.0.12,
  • websphere application server 6.1.0.13,
  • websphere application server 6.1.0.14,
  • websphere application server 6.1.0.15,
  • websphere application server 6.1.0.16,
  • websphere application server 6.1.0.17,
  • websphere application server 6.1.0.18,
  • websphere application server 6.1.0.19,
  • websphere application server 6.1.0.2,
  • websphere application server 6.1.0.20,
  • websphere application server 6.1.0.21,
  • websphere application server 6.1.0.22,
  • websphere application server 6.1.0.23,
  • websphere application server 6.1.0.3,
  • websphere application server 6.1.0.4,
  • websphere application server 6.1.0.5,
  • websphere application server 6.1.0.6,
  • websphere application server 6.1.0.7,
  • websphere application server 6.1.0.8,
  • websphere application server 6.1.0.9,
  • websphere application server 7.0,
  • websphere application server 7.0.0.1

References

Advisory

Additional Info

Technical Analysis