CVSS: 9.8EPSS: 7%CPEs: 3EXPL: 2CVE-2012-0874 – EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet Remote Code Execution
https://notcve.org/view.php?id=CVE-2012-0874
05 Feb 2013 — The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second layer of aut... • https://www.exploit-db.com/exploits/30211 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 0CVE-2012-3369 – JBoss: CallerIdentityLoginModule retaining password from previous call if a null password is provided
https://notcve.org/view.php?id=CVE-2012-3369
05 Feb 2013 — The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used. CallerIdentityLoginModule en JBoss Enterprise Application Platform (EAP) anterior a versión 5.2.0, Web Platform (EWP) anterior a versión 5.2.0, BRMS Platform anterior a versión 5.3.1 y SOA Pl... • http://rhn.redhat.com/errata/RHSA-2013-0191.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 5EXPL: 0CVE-2012-0034 – Cache: NonManagedConnectionFactory will log password in clear text when an exception occurs
https://notcve.org/view.php?id=CVE-2012-0034
05 Feb 2013 — The NonManagedConnectionFactory in JBoss Enterprise Application Platform (EAP) 5.1.2 and 5.2.0, Web Platform (EWP) 5.1.2 and 5.2.0, and BRMS Platform before 5.3.1 logs the username and password in cleartext when an exception is thrown, which allows local users to obtain sensitive information by reading the log file. El NonManagedConnectionFactory en JBoss Enterprise Application Platform (EAP) v5.1.2 y v5.2.0, Web Platform (EWP) v5.1.2 y v5.2.0, y BRMS Platform anterior a v5.3.1 guarda el nombre de usuario y... • http://rhn.redhat.com/errata/RHSA-2012-0108.html • CWE-255: Credentials Management Errors •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2012-5478 – JBoss: AuthorizationInterceptor allows JMX operation to proceed despite authorization failure
https://notcve.org/view.php?id=CVE-2012-5478
05 Feb 2013 — The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly restrict access, which allows remote authenticated users to bypass intended role restrictions and perform arbitrary JMX operations via unspecified vectors. El AuthorizationInterceptor en JBoss Enterprise Application Platform (EAP) anterior a versión 5.2.0, Web Platform (EWP) anterior a versión 5.2.0, BRMS Platfo... • http://rhn.redhat.com/errata/RHSA-2013-0191.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2011-4575 – Console: XSS in invoke operation
https://notcve.org/view.php?id=CVE-2011-4575
05 Feb 2013 — Cross-site scripting (XSS) vulnerability in the JMX console in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de tipo cross-site scripting (XSS) en la consola JMX en JBoss Enterprise Application Platform (EAP) anterior a versión 5.2.0, Web Platform (EWP) anterior a versión 5.2.0, BRMS Platform anterior... • http://rhn.redhat.com/errata/RHSA-2013-0191.html • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 0CVE-2012-3370 – JBoss: SecurityAssociation.getCredential() will return the previous credential if no security context is provided
https://notcve.org/view.php?id=CVE-2012-3370
05 Feb 2013 — The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users. El método SecurityAssociation.getCredential en JBoss Enterprise Application Platform (EAP) anterior a versión 5.2.0, Web Platform (EWP) anterior a versión 5.2.0, BR... • http://rhn.redhat.com/errata/RHSA-2013-0191.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2013-0218 – Installer: Generated auto-install xml is world readable
https://notcve.org/view.php?id=CVE-2013-0218
05 Feb 2013 — The GUI installer in JBoss Enterprise Application Platform (EAP) and Enterprise Web Platform (EWP) 5.2.0 and possibly 5.1.2 uses world-readable permissions for the auto-install XML file, which allows local users to obtain the administrator password and the sucker password by reading this file. El instalador GUI en JBoss Enterprise Application Platform (EAP) y Enterprise Web Platform (EWP) v5.2.0 y posiblemente v5.1.2 usa permisos de lectura para todos los usuarios en el fichero XML auto-install, lo que perm... • http://rhn.redhat.com/errata/RHSA-2013-0206.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-4550 – JACC: Security constraints configured for EJBs are incorrectly interpreted and not applied
https://notcve.org/view.php?id=CVE-2012-4550
05 Jan 2013 — JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, when using role-based authorization for Enterprise Java Beans (EJB) access, does not call the intended authorization modules, which prevents JACC permissions from being applied and allows remote attackers to obtain access to the EJB. JBoss Enterprise Application Platform (tambíen conocido como JBoss EAP o JBEAP) anteriores a v6.0.1, cuando se usa una autorización basada en roles para acceder a Enterprise Java Beans (EJB), no llama ... • http://rhn.redhat.com/errata/RHSA-2012-1591.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2012-4549 – AS: EJB authorization succeeds for any role when allowed roles list is empty
https://notcve.org/view.php?id=CVE-2012-4549
05 Jan 2013 — The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods. La función processInvocation en org.jboss.as.ejb3.security.AuthorizationInterceptor en JBoss Enterprise Application Platform (tambien conocido como JBoss EAP o JBE... • http://rhn.redhat.com/errata/RHSA-2012-1591.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 13EXPL: 0CVE-2012-1167 – JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm
https://notcve.org/view.php?id=CVE-2012-1167
23 Nov 2012 — The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications. El JBoss Server en JBoss Enterp... • http://rhn.redhat.com/errata/RHSA-2012-1013.html • CWE-264: Permissions, Privileges, and Access Controls •