CVE-2008-2945

2008-06-3022:41:00

CWE-20

mitre

web.nvd.nist.gov

sun java system

access manager

identity server

xml signature

vulnerability

xslt

cve-2008-2945

nvd

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.2

Confidence

Low

EPSS

0.027

Percentile

90.6%

JSON

Sun Java System Access Manager 6.3 through 7.1 and Sun Java System Identity Server 6.1 and 6.2 do not properly process XSLT stylesheets in XSLT transforms in XML signatures, which allows context-dependent attackers to execute arbitrary code via a crafted stylesheet, a related issue to CVE-2007-3715, CVE-2007-3716, and CVE-2007-4289.

Affected configurations

Nvd

Node

sunjava_system_access_managerMatch6.3

sunjava_system_access_managerMatch7.0

sunjava_system_access_managerMatch7.1

sunjava_system_identity_serverMatch6.1

sunjava_system_identity_serverMatch6.2

VendorProductVersionCPE
sunjava_system_access_manager6.3cpe:2.3:a:sun:java_system_access_manager:6.3:*:*:*:*:*:*:*
sunjava_system_access_manager7.0cpe:2.3:a:sun:java_system_access_manager:7.0:*:*:*:*:*:*:*
sunjava_system_access_manager7.1cpe:2.3:a:sun:java_system_access_manager:7.1:*:*:*:*:*:*:*
sunjava_system_identity_server6.1cpe:2.3:a:sun:java_system_identity_server:6.1:*:*:*:*:*:*:*
sunjava_system_identity_server6.2cpe:2.3:a:sun:java_system_identity_server:6.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sun	java_system_access_manager	6.3	cpe:2.3:a:sun:java_system_access_manager:6.3:::::::*
sun	java_system_access_manager	7.0	cpe:2.3:a:sun:java_system_access_manager:7.0:::::::*
sun	java_system_access_manager	7.1	cpe:2.3:a:sun:java_system_access_manager:7.1:::::::*
sun	java_system_identity_server	6.1	cpe:2.3:a:sun:java_system_identity_server:6.1:::::::*
sun	java_system_identity_server	6.2	cpe:2.3:a:sun:java_system_identity_server:6.2:::::::*