{"api_version":"1","generated_at":"2026-04-23T06:42:54+00:00","cve":"CVE-2008-2945","urls":{"html":"https://cve.report/CVE-2008-2945","api":"https://cve.report/api/cve/CVE-2008-2945.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2008-2945","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2008-2945"},"summary":{"title":"CVE-2008-2945","description":"Sun Java System Access Manager 6.3 through 7.1 and Sun Java System Identity Server 6.1 and 6.2 do not properly process XSLT stylesheets in XSLT transforms in XML signatures, which allows context-dependent attackers to execute arbitrary code via a crafted stylesheet, a related issue to CVE-2007-3715, CVE-2007-3716, and CVE-2007-4289.","state":"PUBLISHED","assigner":"mitre","published_at":"2008-06-30 22:41:00","updated_at":"2026-04-23 00:35:47"},"problem_types":["CWE-20","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"http://sunsolve.sun.com/search/document.do?assetkey=1-26-201538-1","name":"http://sunsolve.sun.com/search/document.do?assetkey=1-26-201538-1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"404"},{"url":"http://www.vupen.com/english/advisories/2008/1967/references","name":"http://www.vupen.com/english/advisories/2008/1967/references","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/43429","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/43429","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://support.avaya.com/elmodocs2/security/ASA-2008-294.htm","name":"http://support.avaya.com/elmodocs2/security/ASA-2008-294.htm","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"ASA-2008-294 (SUN 201538)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/29988","name":"http://www.securityfocus.com/bid/29988","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Sun Java System Access Manager XSLT Stylesheets XML Signature Remote Code Execution Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://secunia.com/advisories/30893","name":"http://secunia.com/advisories/30893","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Sun Java System Access Manager XSLT Stylesheet Processing Vulnerability - Secunia Advisories - Vulnerability Intelligence - Secunia.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id?1020380","name":"http://www.securitytracker.com/id?1020380","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Sun Java System Access Manager XML Signature Processing Bug Lets Remote Users Execute Arbitrary Code - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2008-2945","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2008-2945","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2008","cve_id":"2945","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sun","cpe5":"java_system_access_manager","cpe6":"6.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"2945","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sun","cpe5":"java_system_access_manager","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"2945","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sun","cpe5":"java_system_access_manager","cpe6":"7.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"2945","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sun","cpe5":"java_system_identity_server","cpe6":"6.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"2945","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sun","cpe5":"java_system_identity_server","cpe6":"6.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-07T09:21:34.571Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"201538","tags":["vendor-advisory","x_refsource_SUNALERT","x_transferred"],"url":"http://sunsolve.sun.com/search/document.do?assetkey=1-26-201538-1"},{"name":"sun-jsam-xslt-code-execution(43429)","tags":["vdb-entry","x_refsource_XF","x_transferred"],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/43429"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://support.avaya.com/elmodocs2/security/ASA-2008-294.htm"},{"name":"1020380","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://www.securitytracker.com/id?1020380"},{"name":"29988","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/29988"},{"name":"ADV-2008-1967","tags":["vdb-entry","x_refsource_VUPEN","x_transferred"],"url":"http://www.vupen.com/english/advisories/2008/1967/references"},{"name":"30893","tags":["third-party-advisory","x_refsource_SECUNIA","x_transferred"],"url":"http://secunia.com/advisories/30893"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2008-06-26T00:00:00.000Z","descriptions":[{"lang":"en","value":"Sun Java System Access Manager 6.3 through 7.1 and Sun Java System Identity Server 6.1 and 6.2 do not properly process XSLT stylesheets in XSLT transforms in XML signatures, which allows context-dependent attackers to execute arbitrary code via a crafted stylesheet, a related issue to CVE-2007-3715, CVE-2007-3716, and CVE-2007-4289."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-08-07T12:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"name":"201538","tags":["vendor-advisory","x_refsource_SUNALERT"],"url":"http://sunsolve.sun.com/search/document.do?assetkey=1-26-201538-1"},{"name":"sun-jsam-xslt-code-execution(43429)","tags":["vdb-entry","x_refsource_XF"],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/43429"},{"tags":["x_refsource_CONFIRM"],"url":"http://support.avaya.com/elmodocs2/security/ASA-2008-294.htm"},{"name":"1020380","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://www.securitytracker.com/id?1020380"},{"name":"29988","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/29988"},{"name":"ADV-2008-1967","tags":["vdb-entry","x_refsource_VUPEN"],"url":"http://www.vupen.com/english/advisories/2008/1967/references"},{"name":"30893","tags":["third-party-advisory","x_refsource_SECUNIA"],"url":"http://secunia.com/advisories/30893"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2008-2945","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Sun Java System Access Manager 6.3 through 7.1 and Sun Java System Identity Server 6.1 and 6.2 do not properly process XSLT stylesheets in XSLT transforms in XML signatures, which allows context-dependent attackers to execute arbitrary code via a crafted stylesheet, a related issue to CVE-2007-3715, CVE-2007-3716, and CVE-2007-4289."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"201538","refsource":"SUNALERT","url":"http://sunsolve.sun.com/search/document.do?assetkey=1-26-201538-1"},{"name":"sun-jsam-xslt-code-execution(43429)","refsource":"XF","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/43429"},{"name":"http://support.avaya.com/elmodocs2/security/ASA-2008-294.htm","refsource":"CONFIRM","url":"http://support.avaya.com/elmodocs2/security/ASA-2008-294.htm"},{"name":"1020380","refsource":"SECTRACK","url":"http://www.securitytracker.com/id?1020380"},{"name":"29988","refsource":"BID","url":"http://www.securityfocus.com/bid/29988"},{"name":"ADV-2008-1967","refsource":"VUPEN","url":"http://www.vupen.com/english/advisories/2008/1967/references"},{"name":"30893","refsource":"SECUNIA","url":"http://secunia.com/advisories/30893"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2008-2945","datePublished":"2008-06-30T22:00:00.000Z","dateReserved":"2008-06-30T00:00:00.000Z","dateUpdated":"2024-08-07T09:21:34.571Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2008-06-30 22:41:00","lastModifiedDate":"2026-04-23 00:35:47","problem_types":["CWE-20","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sun:java_system_access_manager:6.3:*:*:*:*:*:*:*","matchCriteriaId":"31DEED4B-0AFF-49A2-9DDA-B4D74E3B29A0"},{"vulnerable":true,"criteria":"cpe:2.3:a:sun:java_system_access_manager:7.0:*:*:*:*:*:*:*","matchCriteriaId":"D88350FE-285D-4144-B7DC-5E1F8579CC56"},{"vulnerable":true,"criteria":"cpe:2.3:a:sun:java_system_access_manager:7.1:*:*:*:*:*:*:*","matchCriteriaId":"0B5B089E-62AC-44E5-9462-DC439C7AA8A5"},{"vulnerable":true,"criteria":"cpe:2.3:a:sun:java_system_identity_server:6.1:*:*:*:*:*:*:*","matchCriteriaId":"DB8DC1D1-AF26-48BC-A773-5D7CAC70C7D9"},{"vulnerable":true,"criteria":"cpe:2.3:a:sun:java_system_identity_server:6.2:*:*:*:*:*:*:*","matchCriteriaId":"9770CADB-E22A-425C-A35B-AFC52CE53C88"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2008","CveId":"2945","Ordinal":"1","Title":"CVE-2008-2945","CVE":"CVE-2008-2945","Year":"2008"},"notes":[{"CveYear":"2008","CveId":"2945","Ordinal":"1","NoteData":"Sun Java System Access Manager 6.3 through 7.1 and Sun Java System Identity Server 6.1 and 6.2 do not properly process XSLT stylesheets in XSLT transforms in XML signatures, which allows context-dependent attackers to execute arbitrary code via a crafted stylesheet, a related issue to CVE-2007-3715, CVE-2007-3716, and CVE-2007-4289.","Type":"Description","Title":"CVE-2008-2945"},{"CveYear":"2008","CveId":"2945","Ordinal":"2","NoteData":"2008-06-30","Type":"Other","Title":"Published"},{"CveYear":"2008","CveId":"2945","Ordinal":"3","NoteData":"2017-08-07","Type":"Other","Title":"Modified"}]}}}