• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

BEA WebLogic Incorrect Operator Permissions Password Disclosure Vulnerability

BEA WebLogic Server and WebLogic Express have been reported prone to a vulnerability that may allow server Operators to view sensitive credentials. The issue is reported to exist because the Operator role is erroneously assigned access to MBean attributes that contain user passwords.

An attacker, who is a member of the Operator role, may potentially exploit this vulnerability to disclose sensitive user credentials.