CVE-2014-3472

Опубликовано: 06 авг. 2014

Источник: redhat

CVSS2: 2.1

EPSS Низкий

Описание

The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

It was found that the isCallerInRole() method of the SimpleSecurityManager did not correctly check caller roles. A remote, authenticated attacker could use this flaw to circumvent the caller check in applications that use black list access control based on caller roles.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat JBoss Data Grid 6	jboss-as-controller	Not affected
Red Hat JBoss Data Virtualization 6	jboss-as-controller	Not affected
Red Hat JBoss Enterprise Application Platform 5	security	Not affected
Red Hat JBoss Enterprise Web Server 1	others	Not affected
Red Hat JBoss Operations Network 3	jboss-as-controller	Not affected
Red Hat JBoss BPMS 6.0	jboss-as-controller	Fixed	RHSA-2015:0234	17.02.2015
Red Hat JBoss BRMS 6.0	jboss-as-controller	Fixed	RHSA-2015:0235	17.02.2015
Red Hat JBoss Enterprise Application Platform 6.3		Fixed	RHSA-2014:1021	06.08.2014
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5	apache-commons-beanutils-eap6	Fixed	RHSA-2014:1019	06.08.2014
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5	apache-commons-cli-eap6	Fixed	RHSA-2014:1019	06.08.2014

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-184

https://bugzilla.redhat.com/show_bug.cgi?id=1103815Security: Invalid EJB caller role check implementation

EPSS

Процентиль: 47%

0.00241

Низкий

2.1 Low

CVSS2

Связанные уязвимости

CVE-2014-3472

nvd

больше 11 лет назад

GHSA-x926-v8v9-j4mp

github