CVE-2009-1077 | Vulnerability Database | Aqua Security

The Change My Password implementation in the admin interface in Sun Java System Identity Manager (IdM) 7.0 through 8.0 does not enforce the RequiresChallenge property setting, which allows remote authenticated users to change the passwords of other users, as demonstrated by changing the administrators password.

Affected Software

Name	Vendor	Start Version	End Version
Java_system_identity_manager	Sun	7.0 (including)	7.0 (including)
Java_system_identity_manager	Sun	7.1 (including)	7.1 (including)
Java_system_identity_manager	Sun	7.1.1 (including)	7.1.1 (including)
Java_system_identity_manager	Sun	8.0 (including)	8.0 (including)

References

http://blogs.sun.com/security/entry/sun_alert_253267_sun_java
http://secunia.com/advisories/34380
http://securitytracker.com/id?1021881
http://sunsolve.sun.com/search/document.do?assetkey=1-21-137621-11-1
http://sunsolve.sun.com/search/document.do?assetkey=1-21-139010-06-1
http://sunsolve.sun.com/search/document.do?assetkey=1-21-140935-01-1
http://sunsolve.sun.com/search/document.do?assetkey=1-21-140936-01-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1
http://www.securityfocus.com/bid/34191
http://www.vupen.com/english/advisories/2009/0797

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-1077
CWE	https://cwe.mitre.org/data/definitions/264.html