Vulnerabilities > CVE-2009-1075 - Credentials Management vulnerability in SUN Java System Identity Manager
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Sun Java System Identity Manager (IdM) 7.0 through 8.0 responds differently to failed use of the Forgot Password feature depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Common Weakness Enumeration (CWE)
Nessus
NASL family | CGI abuses |
NASL id | SUN_IDM_ACCT_DISCLOSURE.NASL |
description | The version of Sun Java System Identity Manager running on the remote host has the following account enumeration vulnerabilities : - The error message for a failed login attempt is different, depending on whether or not a valid username was given. - Requesting IDMROOT/questionLogin.jsp?accountId=USERNAME results in different results, depending on whether USERNAME is valid. A remote attacker could use these to enumerate valid usernames, which could be used to mount further attacks. There are also other issues known to be associated with this version of Identity Manager that Nessus has not tested for. Refer to Sun Security Alert #253267 for more information. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 38198 |
published | 2009-04-28 |
reporter | This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/38198 |
title | Sun Java System Identity Manager Account Disclosure |
code |
|
References
- http://blogs.sun.com/security/entry/sun_alert_253267_sun_java
- http://secunia.com/advisories/34380
- http://securitytracker.com/id?1021881
- http://sunsolve.sun.com/search/document.do?assetkey=1-21-140936-01-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1
- http://www.securityfocus.com/bid/34191
- http://www.vupen.com/english/advisories/2009/0797