[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2012-0874Date: (C)2013-02-06   (M)2023-12-22


The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 6.8
Exploit Score: 8.6
Impact Score: 6.4
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: PARTIAL
  
Reference:
SECTRACK-1028042
http://archives.neohapsis.com/archives/bugtraq/2013-12/0134.html
EXPLOIT-DB-30211
SECUNIA-51984
SECUNIA-52054
BID-57552
RHSA-2013:0191
RHSA-2013:0192
RHSA-2013:0193
RHSA-2013:0194
RHSA-2013:0195
RHSA-2013:0196
RHSA-2013:0197
RHSA-2013:0198
RHSA-2013:0221
RHSA-2013:0533
https://bugzilla.redhat.com/show_bug.cgi?id=795645
jboss-eap-jmxinvokerhaservlet-code-exec(81511)

CPE    2
cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0
cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0
CWE    1
CWE-287

© SecPod Technologies