CVE-2004-0470 | Vulnerability Database | Aqua Security

BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application.

Affected Software

Name	Vendor	Start Version	End Version
Weblogic_server	Bea	7.0 (including)	7.0 (including)
Weblogic_server	Bea	8.1 (including)	8.1 (including)

References

http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp
http://secunia.com/advisories/11593
http://securitytracker.com/id?1010128
http://www.kb.cert.org/vuls/id/950070
http://www.osvdb.org/6076
http://www.securityfocus.com/bid/10328
https://exchange.xforce.ibmcloud.com/vulnerabilities/16123
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp
http://secunia.com/advisories/11593
http://securitytracker.com/id?1010128
http://www.kb.cert.org/vuls/id/950070
http://www.osvdb.org/6076
http://www.securityfocus.com/bid/10328
https://exchange.xforce.ibmcloud.com/vulnerabilities/16123

NVD	https://nvd.nist.gov/vuln/detail/CVE-2004-0470
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html