Описание
The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.
Отчет
This issue did not affect JBoss Enterprise Application Platform versions 4.x and 5.x.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Web Server 1 | unknown | Under investigation | ||
| Red Hat JBoss Enterprise Application Platform 6.0 | Fixed | RHSA-2012:1594 | 18.12.2012 | |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | antlr-eap6 | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-beanutils | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-cli | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-codec-eap6 | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-collections | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-collections-eap6 | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-configuration | Fixed | RHSA-2012:1591 | 18.12.2012 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-daemon-jsvc-eap6 | Fixed | RHSA-2012:1591 | 18.12.2012 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.8 Medium
CVSS2
Связанные уязвимости
The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.
The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.
The processInvocation function in org.jboss.as.ejb3.security.Authoriza ...
The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.
EPSS
5.8 Medium
CVSS2