The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.
Published 2009-07-14 23:30:00
Updated 2018-10-12 21:49:44
Source CERT/CC
View at NVD,   CVE.org

Threat overview for CVE-2009-0217

Top countries where our scanners detected CVE-2009-0217
Top open port discovered on systems with this issue 9080
IPs affected by CVE-2009-0217 1,613
Threat actors abusing to this issue? Yes
Find out if you* are affected by CVE-2009-0217!
*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2009-0217

Probability of exploitation activity in the next 30 days: 97.28%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2009-0217

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source
5.0
MEDIUM AV:N/AC:L/Au:N/C:N/I:P/A:N
10.0
2.9
NIST

References for CVE-2009-0217

Products affected by CVE-2009-0217

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!