Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2012-0874

Опубликовано: 05 фев. 2013
Источник: nvd
CVSS2: 6.8
EPSS Средний

Описание

The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer.

Комментарий

Per http://rhn.redhat.com/errata/RHSA-2013-0192.html "This JBoss Enterprise Application Platform 5.2.0 release serves as a replacement for JBoss Enterprise Application Platform 5.1.2, and includes bug fixes and enhancements." Per http://rhn.redhat.com/errata/RHSA-2013-0196.html "This JBoss Enterprise Web Platform 5.2.0 release serves as a replacement for JBoss Enterprise Web Platform 5.1.2, and includes bug fixes and enhancements."

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*
Конфигурация 2
cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*
Версия до 5.3.0 (включая)

EPSS

Процентиль: 98%
0.5129
Средний

6.8 Medium

CVSS2

Дефекты

CWE-287

Связанные уязвимости

redhat логотип

CVE-2012-0874

redhat
около 13 лет назад

The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer.

debian логотип

CVE-2012-0874

debian
около 13 лет назад

The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servle ...

github логотип

GHSA-cjrh-9rp2-h6f2

github
больше 3 лет назад

The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of authentication," or when used in conjunction with other vulnerabilities that bypass this second layer.

EPSS

Процентиль: 98%
0.5129
Средний

6.8 Medium

CVSS2

Дефекты

CWE-287