CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2012-5478 – JBoss: AuthorizationInterceptor allows JMX operation to proceed despite authorization failure
https://notcve.org/view.php?id=CVE-2012-5478
05 Feb 2013 — The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly restrict access, which allows remote authenticated users to bypass intended role restrictions and perform arbitrary JMX operations via unspecified vectors. El AuthorizationInterceptor en JBoss Enterprise Application Platform (EAP) anterior a versión 5.2.0, Web Platform (EWP) anterior a versión 5.2.0, BRMS Platfo... • http://rhn.redhat.com/errata/RHSA-2013-0191.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 0CVE-2012-3369 – JBoss: CallerIdentityLoginModule retaining password from previous call if a null password is provided
https://notcve.org/view.php?id=CVE-2012-3369
05 Feb 2013 — The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used. CallerIdentityLoginModule en JBoss Enterprise Application Platform (EAP) anterior a versión 5.2.0, Web Platform (EWP) anterior a versión 5.2.0, BRMS Platform anterior a versión 5.3.1 y SOA Pl... • http://rhn.redhat.com/errata/RHSA-2013-0191.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 0CVE-2012-3370 – JBoss: SecurityAssociation.getCredential() will return the previous credential if no security context is provided
https://notcve.org/view.php?id=CVE-2012-3370
05 Feb 2013 — The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users. El método SecurityAssociation.getCredential en JBoss Enterprise Application Platform (EAP) anterior a versión 5.2.0, Web Platform (EWP) anterior a versión 5.2.0, BR... • http://rhn.redhat.com/errata/RHSA-2013-0191.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 57%CPEs: 3EXPL: 2CVE-2012-0874 – EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet Remote Code Execution
https://notcve.org/view.php?id=CVE-2012-0874
05 Feb 2013 — The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of aut... • https://www.exploit-db.com/exploits/30211 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2012-4549 – AS: EJB authorization succeeds for any role when allowed roles list is empty
https://notcve.org/view.php?id=CVE-2012-4549
05 Jan 2013 — The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods. La función processInvocation en org.jboss.as.ejb3.security.AuthorizationInterceptor en JBoss Enterprise Application Platform (tambien conocido como JBoss EAP o JBE... • http://rhn.redhat.com/errata/RHSA-2012-1591.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-4550 – JACC: Security constraints configured for EJBs are incorrectly interpreted and not applied
https://notcve.org/view.php?id=CVE-2012-4550
05 Jan 2013 — JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, when using role-based authorization for Enterprise Java Beans (EJB) access, does not call the intended authorization modules, which prevents JACC permissions from being applied and allows remote attackers to obtain access to the EJB. JBoss Enterprise Application Platform (tambíen conocido como JBoss EAP o JBEAP) anteriores a v6.0.1, cuando se usa una autorización basada en roles para acceder a Enterprise Java Beans (EJB), no llama ... • http://rhn.redhat.com/errata/RHSA-2012-1591.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 26EXPL: 0CVE-2011-4085 – Invoker servlets authentication bypass (HTTP verb tampering)
https://notcve.org/view.php?id=CVE-2011-4085
23 Nov 2012 — The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression. Los servlets invocados por httpha-invoker en JBoss Enterprise Application Platform anterior a v5.1... • http://rhn.redhat.com/errata/RHSA-2011-1456.html • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 2%CPEs: 9EXPL: 0CVE-2011-4605 – JNDI: unauthenticated remote write access is permitted by default
https://notcve.org/view.php?id=CVE-2011-4605
23 Nov 2012 — The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors. El (1) servicio JNDI, (2) servicio HA-JNDI, y (3) servlet HAJNDIFactory en JBoss Enterp... • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=766469 • CWE-264: Permissions, Privileges, and Access Controls CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 13EXPL: 0CVE-2012-1167 – JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm
https://notcve.org/view.php?id=CVE-2012-1167
23 Nov 2012 — The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications. El JBoss Server en JBoss Enterp... • http://rhn.redhat.com/errata/RHSA-2012-1013.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2012-1154 – mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list
https://notcve.org/view.php?id=CVE-2012-1154
22 Oct 2012 — mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server, which allows remote attackers to bypass access restrictions and gain access to applications deployed on the root context via unspecified vectors. mod_cluster v1.0.10 antes de v1.0.10 CPO3 y v1.1.x antes de v1.1.4, como cuando se utiliza en JBoss Enterprise Application Platform v5.1.2, cuando se pone "ROOT" en exc... • http://rhn.redhat.com/errata/RHSA-2012-1010.html • CWE-264: Permissions, Privileges, and Access Controls •