CVE Vulnerabilities

CVE-2009-1595

Improper Authentication

Published: May 11, 2009 | Modified: Aug 17, 2017
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Openfire Igniterealtime 3.2.2 3.2.2
Openfire Igniterealtime * 3.6.3
Openfire Igniterealtime 3.4.2 3.4.2
Openfire Igniterealtime 3.0.0 3.0.0
Openfire Igniterealtime 3.0.1 3.0.1
Openfire Igniterealtime 3.2.1 3.2.1
Openfire Igniterealtime 3.4.4 3.4.4
Openfire Igniterealtime 3.1.0 3.1.0
Openfire Igniterealtime 3.4.0 3.4.0
Openfire Igniterealtime 3.6.0 3.6.0
Openfire Igniterealtime 3.2.3 3.2.3
Openfire Igniterealtime 3.4.5 3.4.5
Openfire Igniterealtime 3.3.2 3.3.2
Openfire Igniterealtime 3.2.0 3.2.0
Openfire Igniterealtime 3.5.0 3.5.0
Openfire Igniterealtime 3.4.3 3.4.3
Openfire Igniterealtime 2.6.1 2.6.1
Openfire Igniterealtime 3.6.1 3.6.1
Openfire Igniterealtime 3.6.0a 3.6.0a
Openfire Igniterealtime 3.6.2 3.6.2
Openfire Igniterealtime 2.6.0 2.6.0
Openfire Igniterealtime 2.6.2 2.6.2
Openfire Igniterealtime 3.1.1 3.1.1
Openfire Igniterealtime 3.5.2 3.5.2
Openfire Igniterealtime 3.3.3 3.3.3
Openfire Igniterealtime 3.5.1 3.5.1
Openfire Igniterealtime 3.2.4 3.2.4
Openfire Igniterealtime 3.3.0 3.3.0
Openfire Igniterealtime 3.4.1 3.4.1

Potential Mitigations

References