CVE-2004-2696

BEA WebLogic Server and WebLogic Express 6.1, 7.0, 8.1 - Unauthenticated User Identity Spoofing via RMI over IIOP

Title source: llm
STIX 2.1

Description

BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, when using Remote Method Invocation (RMI) over Internet Inter-ORB Protocol (IIOP), does not properly handle when multiple logins for different users coming from the same client, which could cause an "unexpected user identity" to be used in an RMI call.

References (6)

Core 6
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/11865
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16421
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1010493
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10545
Vendor Advisory vendor-advisory x_refsource_bea
http://dev2dev.bea.com/pub/advisory/59
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/7081

Scores

EPSS 0.0058
EPSS Percentile 69.2%

Details

CWE
CWE-255
Status published
Products (3)
bea/weblogic_server 6.1 (21 CPE variants)
bea/weblogic_server 7.0 (18 CPE variants)
bea/weblogic_server 7.0.0.1 (11 CPE variants)
Published Dec 31, 2004
Tracked Since Feb 18, 2026