Page 21 of 129 results (0.014 seconds)

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2012-4550 – JACC: Security constraints configured for EJBs are incorrectly interpreted and not applied

https://notcve.org/view.php?id=CVE-2012-4550

JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, when using role-based authorization for Enterprise Java Beans (EJB) access, does not call the intended authorization modules, which prevents JACC permissions from being applied and allows remote attackers to obtain access to the EJB. JBoss Enterprise Application Platform (tambíen conocido como JBoss EAP o JBEAP) anteriores a v6.0.1, cuando se usa una autorización basada en roles para acceder a Enterprise Java Beans (EJB), no llama a los módulos de autorización de forma adecuada, lo que evita que se puedan usar los permisos JACC de ser aplicados y permiten a atacantes remotos obtener acceso a EJB. • http://rhn.redhat.com/errata/RHSA-2012-1591.html http://rhn.redhat.com/errata/RHSA-2012-1592.html http://rhn.redhat.com/errata/RHSA-2012-1594.html http://secunia.com/advisories/51607 https://access.redhat.com/security/cve/CVE-2012-4550 https://bugzilla.redhat.com/show_bug.cgi?id=870871 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.8EPSS: 0%CPEs: 11EXPL: 0

CVE-2012-4549 – AS: EJB authorization succeeds for any role when allowed roles list is empty

https://notcve.org/view.php?id=CVE-2012-4549

The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods. La función processInvocation en org.jboss.as.ejb3.security.AuthorizationInterceptor en JBoss Enterprise Application Platform (tambien conocido como JBoss EAP o JBEAP) anteriores a v6.0.1, autoriza todas las peticiones cuando no están permitidos los roles para la invocación del método Enterprise Java Beans (EJB), lo que permite a atacantes remotos evitar las restricciones impuestas a los métodos EJB. • http://rhn.redhat.com/errata/RHSA-2012-1591.html http://rhn.redhat.com/errata/RHSA-2012-1592.html http://rhn.redhat.com/errata/RHSA-2012-1594.html http://secunia.com/advisories/51607 https://access.redhat.com/security/cve/CVE-2012-4549 https://bugzilla.redhat.com/show_bug.cgi?id=870868 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2012-3427 – AMI: insecure default file permissions for /var/cache/jboss-ec2-eap

https://notcve.org/view.php?id=CVE-2012-3427

EC2 Amazon Machine Image (AMI) in JBoss Enterprise Application Platform (EAP) 5.1.2 uses 755 permissions for /var/cache/jboss-ec2-eap/, which allows local users to read sensitive information such as Amazon Web Services (AWS) credentials by reading files in the directory. EC2 Amazon Machine Image (AMI) en JBoss Enterprise Application Platform (EAP) 5.1.2 utiliza permisos 755 para /var/cache/jboss-ec2-eap/, lo cual permite a usuarios locales leer información sensible como credenciales de Amazon Web Services (AWS) leyendo archivos en el directorio. • http://rhn.redhat.com/errata/RHSA-2012-1376.html http://secunia.com/advisories/51016 http://www.osvdb.org/86409 http://www.securityfocus.com/bid/55945 https://exchange.xforce.ibmcloud.com/vulnerabilities/79398 https://access.redhat.com/security/cve/CVE-2012-3427 https://bugzilla.redhat.com/show_bug.cgi?id=843335 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0

CVE-2009-5066 – JBoss: twiddle.sh accepts credentials as command line arguments, exposing them to other local users via a process listing

https://notcve.org/view.php?id=CVE-2009-5066

twiddle.sh in JBoss AS 5.0 and EAP 5.0 and earlier accepts credentials as command-line arguments, which allows local users to read the credentials by listing the process and its arguments. twiddle.sh en JBoss AS v5.0 y PEA v5.0 y versiones anteriores acepta credenciales como argumentos de línea de comandos, lo que permite a usuarios locales leer las credenciales al listar el proceso y sus argumentos. • http://objectopia.com/2009/10/01/securing-jmx-invoker-layer-in-jboss http://rhn.redhat.com/errata/RHSA-2013-0191.html http://rhn.redhat.com/errata/RHSA-2013-0192.html http://rhn.redhat.com/errata/RHSA-2013-0193.html http://rhn.redhat.com/errata/RHSA-2013-0194.html http://rhn.redhat.com/errata/RHSA-2013-0195.html http://rhn.redhat.com/errata/RHSA-2013-0196.html http://rhn.redhat.com/errata/RHSA-2013-0197.html http://rhn.redhat.com/errata/RHSA-2013-0198.ht • CWE-255: Credentials Management Errors •

CVSS: 7.5EPSS: 1%CPEs: 9EXPL: 0

CVE-2011-4605 – JNDI: unauthenticated remote write access is permitted by default

https://notcve.org/view.php?id=CVE-2011-4605

The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors. El (1) servicio JNDI, (2) servicio HA-JNDI, y (3) servlet HAJNDIFactory en JBoss Enterprise Application Platform v4.3.0 CP10 y v5.1.2, Web Platform v5.1.2, SOA Platform v4.2.0.CP05 y v4.3.0.CP05, Portal Platform 4.3 CP07 y v5.2.x anterior a v5.2.2, y BRMS Platform anterior v5.3.0 no restringe correctamente el acceso de escritura, permitiendo a atacantes remotos añadir, borrar o modificar elementos en un árbol JNDI mediante vectores desconocidos. • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=766469 http://rhn.redhat.com/errata/RHSA-2012-1022.html http://rhn.redhat.com/errata/RHSA-2012-1023.html http://rhn.redhat.com/errata/RHSA-2012-1024.html http://rhn.redhat.com/errata/RHSA-2012-1025.html http://rhn.redhat.com/errata/RHSA-2012-1026.html http://rhn.redhat.com/errata/RHSA-2012-1027.html http://rhn.redhat.com/errata/RHSA-2012-1028.html http://rhn.redhat.com/errata/RHSA-2012-1109.html http: • CWE-264: Permissions, Privileges, and Access Controls CWE-306: Missing Authentication for Critical Function •