Description
BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP4, and 9.0 initial release does not encrypt passwords stored in the JDBCDataSourceFactory MBean Properties, which allows local administrative users to read the cleartext password.
References (6)
Core 6
Core References
Patch, Vendor Advisory vendor-advisory
x_refsource_bea
http://dev2dev.bea.com/pub/advisory/203
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/38501
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1017525
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/23750
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/22082
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/0213
Scores
EPSS
0.0007
EPSS Percentile
22.2%
Details
Status
published
Products (5)
bea/weblogic_server
7.0
bea/weblogic_server
8.1
bea/weblogic_server
9.0
bea/weblogic_server
< 7.0
bea/weblogic_server
< 8.1
Published
Jan 23, 2007
Tracked Since
Feb 18, 2026