Описание
The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute.
It was discovered that the JBoss Application Server (WildFly) JacORB subsystem incorrectly assigned socket-binding-ref sensitivity classification for the security-domain attribute. An authenticated user with a role that has access to attributes with socket-binding-ref and not security-domain-ref sensitivity classification could use this flaw to access sensitive information present in the security-domain attribute.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Data Grid 6 | jacorb | Affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | Security | Not affected | ||
| Red Hat JBoss Enterprise Web Server 1 | others | Under investigation | ||
| Red Hat JBoss Portal 6 | jacorb | Affected | ||
| Red Hat JBoss Enterprise Application Platform 6.3 | Fixed | RHSA-2015:0215 | 11.02.2015 | |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5 | antlr-eap6 | Fixed | RHSA-2015:0216 | 11.02.2015 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5 | apache-cxf | Fixed | RHSA-2015:0216 | 11.02.2015 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5 | glassfish-jsf-eap6 | Fixed | RHSA-2015:0216 | 11.02.2015 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5 | guava-libraries | Fixed | RHSA-2015:0216 | 11.02.2015 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5 | hibernate4-eap6 | Fixed | RHSA-2015:0216 | 11.02.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.9 Medium
CVSS2
Связанные уязвимости
The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute.
The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute.
EPSS
4.9 Medium
CVSS2