CVE-2009-3554 – JBoss EAP Twiddle logs the JMX password
https://notcve.org/view.php?id=CVE-2009-3554
Twiddle in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07 writes the JMX password, and other command-line arguments, to the twiddle.log file, which allows local users to obtain sensitive information by reading this file. Twiddle en Red Hat en la plataforma de aplicaciones JBoss Enterprise (tambien conocido como JBoss EAP or JBEAP) v4.2 anteriores a v4.2.0.CP08 y v4.3 anteriores a v4.3.0.CP07 escribe la contraseña JMX, y otros argumentos de linea de comandos, al fichero twiddle.log, lo que permite a usuarios locales conseguir información sensible leyendo este fichero. • http://secunia.com/advisories/37671 http://securitytracker.com/id?1023316 http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp08/html-single/Release_Notes/index.html http://www.securityfocus.com/bid/37276 https://bugzilla.redhat.com/show_bug.cgi?id=532111 https://bugzilla.redhat.com/show_bug.cgi?id=539495 https://exchange.xforce.ibmcloud.com/vulnerabilities/54702 https://jira.jboss.org/jira/browse/JBPAPP-2872 https://rhn.redhat.com/errata/RHSA-2009-1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-0027 – JBoss EAP unprivileged local xml file access
https://notcve.org/view.php?id=CVE-2009-0027
The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request. El manejador de solicitudes de JBossWS en JBoss Enterprise Application Platform (alias JBoss o JBEAP PEA) 4.2 antes de 4.2.0.CP06 y 4.3 antes de 4.3.0.CP04 no valida la ruta durante una petición de un archivo WSDL con un punto final del web-service propio, lo que permite a atacantes remotos leer archivos XML arbitrarios a través de una solicitud debidamente modificada. • http://rhn.redhat.com/errata/RHSA-2009-0346.html http://rhn.redhat.com/errata/RHSA-2009-0347.html http://rhn.redhat.com/errata/RHSA-2009-0348.html http://rhn.redhat.com/errata/RHSA-2009-0349.html http://secunia.com/advisories/34112 http://www.securityfocus.com/bid/34023 http://www.securitytracker.com/id?1021817 https://bugzilla.redhat.com/show_bug.cgi?id=479668 https://jira.jboss.org/jira/browse/JBPAPP-1548 https://access.redhat.com/security/cve/CVE-2009-0027 • CWE-20: Improper Input Validation •
CVE-2008-3519 – JBossEAP allows download of non-EJB class files
https://notcve.org/view.php?id=CVE-2008-3519
The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the DownloadServerClasses property to true, which allows remote attackers to obtain sensitive information (non-EJB classes) via a download request, a different vulnerability than CVE-2008-3273. La configuración por defecto del componente JBossAs en Red Hat JBoss Enterprise Application Platform (también conocido como JBossEAP o EAP), posiblemente v4.2 anterior a CP04 y v4.3 anterior a CP02, cuando el entorno de producción está activado, establece la propiedad "DownloadServerClasses" a "true", lo que permite a atacantes remotos obtener información sensible (clases no-EJB) a través de una petición de descarga. Un a vulnerabilidad distinta de CVE-2008-3273. • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=458823 http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp04/html-single/readme/index.html http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp02/html-single/readme/index.html http://www.redhat.com/support/errata/RHSA-2008-0831.html http://www.redhat.com/support/errata/RHSA-2008-0832.html http://www.redhat.com/support/errata/RHSA-2008-0833.html http://www.redhat.c • CWE-16: Configuration •