The login module in Sun Java System Access Manager 6 2005Q1 (aka 6.3), 7 2005Q4 (aka 7.0), and 7.1 responds differently to a failed login attempt depending on whether the user account exists, which allows remote malicious users to enumerate valid usernames.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
sun java system access manager 7_2005q4 |
||
sun java system access manager 7.1 |
||
sun java system access manager 6.3_2005q1 |