CVE-2009-1596
First published: Mon May 11 2009(Updated: )
Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openfire | <3.6.5 | |
| Openfire | <=3.6.4 | |
| Openfire | =2.6.0 | |
| Openfire | =2.6.1 | |
| Openfire | =2.6.2 | |
| Openfire | =3.0.0 | |
| Openfire | =3.0.1 | |
| Openfire | =3.1.0 | |
| Openfire | =3.1.1 | |
| Openfire | =3.2.0 | |
| Openfire | =3.2.1 | |
| Openfire | =3.2.2 | |
| Openfire | =3.2.3 | |
| Openfire | =3.2.4 | |
| Openfire | =3.3.0 | |
| Openfire | =3.3.2 | |
| Openfire | =3.3.3 | |
| Openfire | =3.4.0 | |
| Openfire | =3.4.1 | |
| Openfire | =3.4.2 | |
| Openfire | =3.4.3 | |
| Openfire | =3.4.4 | |
| Openfire | =3.4.5 | |
| Openfire | =3.5.0 | |
| Openfire | =3.5.1 | |
| Openfire | =3.5.2 | |
| Openfire | =3.6.0 | |
| Openfire | =3.6.0a | |
| Openfire | =3.6.1 | |
| Openfire | =3.6.2 | |
| Openfire | =3.6.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2009-1596?
The severity of CVE-2009-1596 is classified as Medium due to the potential for unauthorized password changes by authenticated users.
How do I fix CVE-2009-1596?
To fix CVE-2009-1596, upgrade Openfire to version 3.6.5 or later.
Who is affected by CVE-2009-1596?
Openfire versions prior to 3.6.5, including 2.6.0 to 3.6.4, are affected by CVE-2009-1596.
What are the implications of CVE-2009-1596?
CVE-2009-1596 allows authenticated users to change their own passwords, which can lead to unauthorized access and account compromise.
How does CVE-2009-1596 exploit the Openfire configuration?
CVE-2009-1596 exploits a misconfiguration of the register.password setting, allowing bypass of intended password policies.
- agent/references
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-historical
- agent/author
- agent/softwarecombine
- vendor/igniterealtime
- canonical/openfire
- version/openfire/3.6.4
- version/openfire/2.6.0
- version/openfire/2.6.1
- version/openfire/2.6.2
- version/openfire/3.0.0
- version/openfire/3.0.1
- version/openfire/3.1.0
- version/openfire/3.1.1
- version/openfire/3.2.0
- version/openfire/3.2.1
- version/openfire/3.2.2
- version/openfire/3.2.3
- version/openfire/3.2.4
- version/openfire/3.3.0
- version/openfire/3.3.2
- version/openfire/3.3.3
- version/openfire/3.4.0
- version/openfire/3.4.1
- version/openfire/3.4.2
- version/openfire/3.4.3
- version/openfire/3.4.4
- version/openfire/3.4.5
- version/openfire/3.5.0
- version/openfire/3.5.1
- version/openfire/3.5.2
- version/openfire/3.6.0
- version/openfire/3.6.0a
- version/openfire/3.6.1
- version/openfire/3.6.2
- version/openfire/3.6.3