Page 2 of 15 results (0.026 seconds)

CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0

CVE-2012-5629 – JBoss: allows empty password to authenticate against LDAP

https://notcve.org/view.php?id=CVE-2012-5629

The default configuration of the (1) LdapLoginModule and (2) LdapExtLoginModule modules in JBoss Enterprise Application Platform (EAP) 4.3.0 CP10, 5.2.0, and 6.0.1, and Enterprise Web Platform (EWP) 5.2.0 allow remote attackers to bypass authentication via an empty password. La configuración por defecto de los módulos (1) LdapLoginModule y (2) LdapExtLoginModule en JBoss Enterprise Application Platform (EAP)v 4.3.0 CP10, v5.2.0 y v6.0.1 6.0.1, y Enterprise Web Platform (EWP) v5.2.0, permite a atacantes remotos la autenticación sin contraseña. • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=885569 http://rhn.redhat.com/errata/RHSA-2013-0229.html http://rhn.redhat.com/errata/RHSA-2013-0230.html http://rhn.redhat.com/errata/RHSA-2013-0231.html http://rhn.redhat.com/errata/RHSA-2013-0232.html http://rhn.redhat.com/errata/RHSA-2013-0233.html http://rhn.redhat.com/errata/RHSA-2013-0234.html http://rhn.redhat.com/errata/RHSA-2013-0248.html http://rhn.redhat.com/errata/RHSA-2013-0533.html http: • CWE-264: Permissions, Privileges, and Access Controls CWE-305: Authentication Bypass by Primary Weakness •

CVSS: 2.1EPSS: 0%CPEs: 4EXPL: 0

CVE-2013-0218 – Installer: Generated auto-install xml is world readable

https://notcve.org/view.php?id=CVE-2013-0218

The GUI installer in JBoss Enterprise Application Platform (EAP) and Enterprise Web Platform (EWP) 5.2.0 and possibly 5.1.2 uses world-readable permissions for the auto-install XML file, which allows local users to obtain the administrator password and the sucker password by reading this file. El instalador GUI en JBoss Enterprise Application Platform (EAP) y Enterprise Web Platform (EWP) v5.2.0 y posiblemente v5.1.2 usa permisos de lectura para todos los usuarios en el fichero XML auto-install, lo que permite a usuarios locales obtener el password del administrador mediante la lecutra de dicho fichero. • http://rhn.redhat.com/errata/RHSA-2013-0206.html http://rhn.redhat.com/errata/RHSA-2013-0207.html http://rhn.redhat.com/errata/RHSA-2013-0833.html http://secunia.com/advisories/52041 http://www.osvdb.org/89698 http://www.securityfocus.com/bid/57652 https://bugzilla.redhat.com/show_bug.cgi?id=903073 https://exchange.xforce.ibmcloud.com/vulnerabilities/81725 https://access.redhat.com/security/cve/CVE-2013-0218 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0

CVE-2011-4575 – Console: XSS in invoke operation

https://notcve.org/view.php?id=CVE-2011-4575

Cross-site scripting (XSS) vulnerability in the JMX console in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de tipo cross-site scripting (XSS) en la consola JMX en JBoss Enterprise Application Platform (EAP) anterior a versión 5.2.0, Web Platform (EWP) anterior a versión 5.2.0, BRMS Platform anterior a versión 5.3.1, y SOA Platform anterior a versión 5.3.1, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio de vectores no especificados. It was found that the parameters passed to operation invocations on the JMX console were not properly sanitized. Remote attackers could use this flaw to inject arbitrary web script or HTML into the JMX console. • http://rhn.redhat.com/errata/RHSA-2013-0191.html http://rhn.redhat.com/errata/RHSA-2013-0192.html http://rhn.redhat.com/errata/RHSA-2013-0193.html http://rhn.redhat.com/errata/RHSA-2013-0194.html http://rhn.redhat.com/errata/RHSA-2013-0195.html http://rhn.redhat.com/errata/RHSA-2013-0196.html http://rhn.redhat.com/errata/RHSA-2013-0197.html http://rhn.redhat.com/errata/RHSA-2013-0198.html http://rhn.redhat.com/errata/RHSA-2013-0221.html http://secuni • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0

CVE-2012-3370 – JBoss: SecurityAssociation.getCredential() will return the previous credential if no security context is provided

https://notcve.org/view.php?id=CVE-2012-3370

The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users. El método SecurityAssociation.getCredential en JBoss Enterprise Application Platform (EAP) anterior a versión 5.2.0, Web Platform (EWP) anterior a versión 5.2.0, BRMS Platform anterior a versión 5.3.1 y SOA Platform anterior a versión 5.3.1, devuelve las credenciales del usuario anterior cuando no es proporcionado un contexto de seguridad, lo que permite a los atacantes remotos alcanzar privilegios como otros usuarios. • http://rhn.redhat.com/errata/RHSA-2013-0191.html http://rhn.redhat.com/errata/RHSA-2013-0192.html http://rhn.redhat.com/errata/RHSA-2013-0193.html http://rhn.redhat.com/errata/RHSA-2013-0194.html http://rhn.redhat.com/errata/RHSA-2013-0195.html http://rhn.redhat.com/errata/RHSA-2013-0196.html http://rhn.redhat.com/errata/RHSA-2013-0197.html http://rhn.redhat.com/errata/RHSA-2013-0198.html http://rhn.redhat.com/errata/RHSA-2013-0221.html http://rhn • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 0

CVE-2012-5478 – JBoss: AuthorizationInterceptor allows JMX operation to proceed despite authorization failure

https://notcve.org/view.php?id=CVE-2012-5478

The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly restrict access, which allows remote authenticated users to bypass intended role restrictions and perform arbitrary JMX operations via unspecified vectors. El AuthorizationInterceptor en JBoss Enterprise Application Platform (EAP) anterior a versión 5.2.0, Web Platform (EWP) anterior a versión 5.2.0, BRMS Platform anterior a versión 5.3.1 y SOA Platform anterior a versión 5.3.1, no restringe apropiadamente el acceso, lo que permite a los usuarios remotos autenticados omitir las restricciones de rol previstas y realizar operaciones JMX arbitrarias por medio de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2013-0191.html http://rhn.redhat.com/errata/RHSA-2013-0192.html http://rhn.redhat.com/errata/RHSA-2013-0193.html http://rhn.redhat.com/errata/RHSA-2013-0194.html http://rhn.redhat.com/errata/RHSA-2013-0195.html http://rhn.redhat.com/errata/RHSA-2013-0196.html http://rhn.redhat.com/errata/RHSA-2013-0197.html http://rhn.redhat.com/errata/RHSA-2013-0198.html http://rhn.redhat.com/errata/RHSA-2013-0221.html http://rhn • CWE-264: Permissions, Privileges, and Access Controls •