CVE-2009-3960

Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/38543
http://securitytracker.com/id?1023584
http://www.adobe.com/support/security/bulletins/apsb10-05.html	Vendor Advisory
http://www.osvdb.org/62292
http://www.securityfocus.com/bid/38197
https://www.exploit-db.com/exploits/41855/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:adobe:blazeds::::::::
	cpe:2.3:a:adobe:coldfusion:7.0.2:::::::*
	cpe:2.3:a:adobe:coldfusion:8.0:::::::*
	cpe:2.3:a:adobe:coldfusion:8.0.1:::::::*
	cpe:2.3:a:adobe:coldfusion:9.0:::::::*
	cpe:2.3:a:adobe:flex_data_services:2.0.1:::::::*
	cpe:2.3:a:adobe:lifecycle:8.0.1:::::::*
	cpe:2.3:a:adobe:lifecycle:8.2.1:::::::*
	cpe:2.3:a:adobe:lifecycle:9.0:::::::*
	cpe:2.3:a:adobe:lifecycle_data_services:2.5.1:::::::*
	cpe:2.3:a:adobe:lifecycle_data_services:2.6.1:::::::*
	cpe:2.3:a:adobe:lifecycle_data_services:3.0:::::::*

History

No history.

Information

Published : 2010-02-15 18:30

Updated : 2017-08-16 01:29

NVD link : CVE-2009-3960

Mitre link : CVE-2009-3960

CVE.ORG link : CVE-2009-3960

JSON object : View

Products Affected

adobe

flex_data_services
coldfusion
lifecycle_data_services
lifecycle
blazeds

CWE

NVD-CWE-noinfo

{"id": "CVE-2009-3960", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2010-02-15T18:30:00.407", "references": [{"url": "http://secunia.com/advisories/38543", "source": "psirt@adobe.com"}, {"url": "http://securitytracker.com/id?1023584", "source": "psirt@adobe.com"}, {"url": "http://www.adobe.com/support/security/bulletins/apsb10-05.html", "tags": ["Vendor Advisory"], "source": "psirt@adobe.com"}, {"url": "http://www.osvdb.org/62292", "source": "psirt@adobe.com"}, {"url": "http://www.securityfocus.com/bid/38197", "source": "psirt@adobe.com"}, {"url": "https://www.exploit-db.com/exploits/41855/", "source": "psirt@adobe.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0, allows remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents."}, {"lang": "es", "value": "Vulnerabilidad sin especificar en BlazeDS v3.2 y anteriores, tal como es utilizado en LiveCycle v8.0.1, v8.2.1 y v9.0, LiveCycle Data Services v2.5.1, v2.6.1 y v3.0, Flex Data Services v2.0.1 y ColdFusion v7.0.2, v8.0, v8.0.1 y v9.0. Permite a atacantes remotos obtener informaci\u00f3n confidencial a trav\u00e9s de vectores de ataque asociados con una petici\u00f3n, y relacionados con una etiqueta inyectada y una referencia a una entidad externa en documentos XML."}], "lastModified": "2017-08-16T01:29:00.447", "cisaActionDue": "2022-09-07", "cisaExploitAdd": "2022-03-07", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:adobe:blazeds:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEF7C97E-BE99-415D-B12B-D3E7BD9EDF08", "versionEndIncluding": "3.2"}, {"criteria": "cpe:2.3:a:adobe:coldfusion:7.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B015715F-9672-480E-B0AA-968D8C9070D5"}, {"criteria": "cpe:2.3:a:adobe:coldfusion:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD6C1877-7412-4FBE-9641-334971F9D153"}, {"criteria": "cpe:2.3:a:adobe:coldfusion:8.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28C8D6AF-EDE1-42BD-A47C-2EF8690299BD"}, {"criteria": "cpe:2.3:a:adobe:coldfusion:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "113431FB-E4BE-4416-800C-6B13AD1C0E92"}, {"criteria": "cpe:2.3:a:adobe:flex_data_services:2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6F65E3F-F3E7-4BE9-A13B-87FFF3B3777E"}, {"criteria": "cpe:2.3:a:adobe:lifecycle:8.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A1EAAD5-7A00-4EC3-9F97-D2965E2569D8"}, {"criteria": "cpe:2.3:a:adobe:lifecycle:8.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D227BD60-5882-4C73-A642-EEE1E485FC48"}, {"criteria": "cpe:2.3:a:adobe:lifecycle:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3824D1B3-CE8E-488C-B241-BBD764C935F5"}, {"criteria": "cpe:2.3:a:adobe:lifecycle_data_services:2.5.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EDF0B56D-E982-44CE-92E8-DA696E33717A"}, {"criteria": "cpe:2.3:a:adobe:lifecycle_data_services:2.6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18CBBE17-8E63-4A48-997B-850702442394"}, {"criteria": "cpe:2.3:a:adobe:lifecycle_data_services:3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3080073F-5BF3-415D-917A-C04DDCEEB311"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@adobe.com", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Adobe BlazeDS Information Disclosure Vulnerability"}