{"vuid":"VU#331937","idnumber":"331937","name":"BEA WebLogic Server \"ResourceAllocationException\" exception may disclose user password","keywords":["BEA","WebLogic Server","JMS message","ResourceAllocationException","information disclosure","user password"],"overview":"A vulnerability in BEA's WebLogic Server may disclose sensitive information.","clean_desc":"From the BEA WebLogic Server 7.0 Overview: BEA WebLogic Server is a fully featured, standards-based application server providing the foundation on which an enterprise can build its applications. BEA released a security advisory (BEA03-24.00) detailing an information disclosure vulnerability. Quoting from BEA03-24.00: This vulnerability concerns the display of the system password. If an application is using a bridge to route messages to a JMS target domain, and either that domain is not available, or a configuration problem prevents the obtaining of an initial context for the JMS target domain, WebLogic Server throws a ResourceAllocationException that may include the user’s password.","impact":"A remote attacker may be able to gain access to the system password.","resolution":"Apply a patch.","workarounds":"","sysaffected":"","thanks":"Our thanks to BEA Systems for providing BEA03-24.00.","author":"This document was written by Ian A Finlay.","public":["h","t","t","p",":","/","/","w","w","w",".","s","e","c","u","r","i","t","y","f","o","c","u","s",".","c","o","m","/","b","i","d","/","6","5","8","6"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2003-01-14T18:06:24Z","publicdate":"2003-01-11T00:00:00Z","datefirstpublished":"2003-01-15T18:48:24Z","dateupdated":"2003-01-20T13:13:01Z","revision":5,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"17","cam_population":"10","cam_impact":"18","cam_easeofexploitation":"8","cam_attackeraccessrequired":"20","cam_scorecurrent":"17.28","cam_scorecurrentwidelyknown":"19.98","cam_scorecurrentwidelyknownexploited":"30.78","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":17.28,"vulnote":null}