Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-0348

CWE-200 — Information Exposure4 documents4 sources

Severity

5.0MEDIUM

EPSS

10.4%

top 6.78%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

SUN Java System Access Manager

Timeline

PublishedJan 29

Latest updateMay 2

Description

The login module in Sun Java System Access Manager 6 2005Q1 (aka 6.3), 7 2005Q4 (aka 7.0), and 7.1 responds differently to a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDsun/java_system_access_manager6.3_2005q1, 7.1, 7_2005q4+2

Patches

Patch: sunsolve.sun.com ↗Patch: sunsolve.sun.com ↗Patch: sunsolve.sun.com ↗

🔴Vulnerability Details

GHSA

GHSA-q6r6-8rm7-3r93: The login module in Sun Java System Access Manager 6 2005Q1 (aka 6↗2022-05-02

▶

CVEList

CVE-2009-0348: The login module in Sun Java System Access Manager 6 2005Q1 (aka 6↗2009-01-29

▶

💥Exploits & PoCs

Exploit-DB

Sun Java System Access Manager 7.1 - 'Username' Enumeration↗2009-01-27

▶