Page 20 of 125 results (0.031 seconds)

CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0

CVE-2012-3369 – JBoss: CallerIdentityLoginModule retaining password from previous call if a null password is provided

https://notcve.org/view.php?id=CVE-2012-3369

The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used. CallerIdentityLoginModule en JBoss Enterprise Application Platform (EAP) anterior a versión 5.2.0, Web Platform (EWP) anterior a versión 5.2.0, BRMS Platform anterior a versión 5.3.1 y SOA Platform anterior a versión 5.3.1, y SOA Platform anterior a Versión 5.3.1, permite a los atacantes remotos alcanzar privilegios del usuario anterior por medio de una contraseña null, lo que causa que sea usada la contraseña del usuario anterior. • http://rhn.redhat.com/errata/RHSA-2013-0191.html http://rhn.redhat.com/errata/RHSA-2013-0192.html http://rhn.redhat.com/errata/RHSA-2013-0193.html http://rhn.redhat.com/errata/RHSA-2013-0194.html http://rhn.redhat.com/errata/RHSA-2013-0195.html http://rhn.redhat.com/errata/RHSA-2013-0196.html http://rhn.redhat.com/errata/RHSA-2013-0197.html http://rhn.redhat.com/errata/RHSA-2013-0198.html http://rhn.redhat.com/errata/RHSA-2013-0221.html http://rhn • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2012-4550 – JACC: Security constraints configured for EJBs are incorrectly interpreted and not applied

https://notcve.org/view.php?id=CVE-2012-4550

JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, when using role-based authorization for Enterprise Java Beans (EJB) access, does not call the intended authorization modules, which prevents JACC permissions from being applied and allows remote attackers to obtain access to the EJB. JBoss Enterprise Application Platform (tambíen conocido como JBoss EAP o JBEAP) anteriores a v6.0.1, cuando se usa una autorización basada en roles para acceder a Enterprise Java Beans (EJB), no llama a los módulos de autorización de forma adecuada, lo que evita que se puedan usar los permisos JACC de ser aplicados y permiten a atacantes remotos obtener acceso a EJB. • http://rhn.redhat.com/errata/RHSA-2012-1591.html http://rhn.redhat.com/errata/RHSA-2012-1592.html http://rhn.redhat.com/errata/RHSA-2012-1594.html http://secunia.com/advisories/51607 https://access.redhat.com/security/cve/CVE-2012-4550 https://bugzilla.redhat.com/show_bug.cgi?id=870871 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.8EPSS: 0%CPEs: 11EXPL: 0

CVE-2012-4549 – AS: EJB authorization succeeds for any role when allowed roles list is empty

https://notcve.org/view.php?id=CVE-2012-4549

The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods. La función processInvocation en org.jboss.as.ejb3.security.AuthorizationInterceptor en JBoss Enterprise Application Platform (tambien conocido como JBoss EAP o JBEAP) anteriores a v6.0.1, autoriza todas las peticiones cuando no están permitidos los roles para la invocación del método Enterprise Java Beans (EJB), lo que permite a atacantes remotos evitar las restricciones impuestas a los métodos EJB. • http://rhn.redhat.com/errata/RHSA-2012-1591.html http://rhn.redhat.com/errata/RHSA-2012-1592.html http://rhn.redhat.com/errata/RHSA-2012-1594.html http://secunia.com/advisories/51607 https://access.redhat.com/security/cve/CVE-2012-4549 https://bugzilla.redhat.com/show_bug.cgi?id=870868 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2012-3427 – AMI: insecure default file permissions for /var/cache/jboss-ec2-eap

https://notcve.org/view.php?id=CVE-2012-3427

EC2 Amazon Machine Image (AMI) in JBoss Enterprise Application Platform (EAP) 5.1.2 uses 755 permissions for /var/cache/jboss-ec2-eap/, which allows local users to read sensitive information such as Amazon Web Services (AWS) credentials by reading files in the directory. EC2 Amazon Machine Image (AMI) en JBoss Enterprise Application Platform (EAP) 5.1.2 utiliza permisos 755 para /var/cache/jboss-ec2-eap/, lo cual permite a usuarios locales leer información sensible como credenciales de Amazon Web Services (AWS) leyendo archivos en el directorio. • http://rhn.redhat.com/errata/RHSA-2012-1376.html http://secunia.com/advisories/51016 http://www.osvdb.org/86409 http://www.securityfocus.com/bid/55945 https://exchange.xforce.ibmcloud.com/vulnerabilities/79398 https://access.redhat.com/security/cve/CVE-2012-3427 https://bugzilla.redhat.com/show_bug.cgi?id=843335 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0

CVE-2009-5066 – JBoss: twiddle.sh accepts credentials as command line arguments, exposing them to other local users via a process listing

https://notcve.org/view.php?id=CVE-2009-5066

twiddle.sh in JBoss AS 5.0 and EAP 5.0 and earlier accepts credentials as command-line arguments, which allows local users to read the credentials by listing the process and its arguments. twiddle.sh en JBoss AS v5.0 y PEA v5.0 y versiones anteriores acepta credenciales como argumentos de línea de comandos, lo que permite a usuarios locales leer las credenciales al listar el proceso y sus argumentos. • http://objectopia.com/2009/10/01/securing-jmx-invoker-layer-in-jboss http://rhn.redhat.com/errata/RHSA-2013-0191.html http://rhn.redhat.com/errata/RHSA-2013-0192.html http://rhn.redhat.com/errata/RHSA-2013-0193.html http://rhn.redhat.com/errata/RHSA-2013-0194.html http://rhn.redhat.com/errata/RHSA-2013-0195.html http://rhn.redhat.com/errata/RHSA-2013-0196.html http://rhn.redhat.com/errata/RHSA-2013-0197.html http://rhn.redhat.com/errata/RHSA-2013-0198.ht • CWE-255: Credentials Management Errors •