CVSS: 9.1EPSS: 0%CPEs: 21EXPL: 0CVE-2012-4572 – JBoss: custom authorization module implementations shared between applications
https://notcve.org/view.php?id=CVE-2012-4572
20 May 2013 — Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control certain applications' authorization decisions via a crafted application. Red Hat JBoss Enterprise Application Platform (EAP) antes de 6.1.0 y JBoss Portal anteriores a 6.1.0 no carga la implementación de un módulo de ... • http://rhn.redhat.com/errata/RHSA-2013-0833.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2012-5629 – JBoss: allows empty password to authenticate against LDAP
https://notcve.org/view.php?id=CVE-2012-5629
12 Mar 2013 — The default configuration of the (1) LdapLoginModule and (2) LdapExtLoginModule modules in JBoss Enterprise Application Platform (EAP) 4.3.0 CP10, 5.2.0, and 6.0.1, and Enterprise Web Platform (EWP) 5.2.0 allow remote attackers to bypass authentication via an empty password. La configuración por defecto de los módulos (1) LdapLoginModule y (2) LdapExtLoginModule en JBoss Enterprise Application Platform (EAP)v 4.3.0 CP10, v5.2.0 y v6.0.1 6.0.1, y Enterprise Web Platform (EWP) v5.2.0, permite a atacantes remo... • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=885569 • CWE-264: Permissions, Privileges, and Access Controls CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2012-4549 – AS: EJB authorization succeeds for any role when allowed roles list is empty
https://notcve.org/view.php?id=CVE-2012-4549
05 Jan 2013 — The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods. La función processInvocation en org.jboss.as.ejb3.security.AuthorizationInterceptor en JBoss Enterprise Application Platform (tambien conocido como JBoss EAP o JBE... • http://rhn.redhat.com/errata/RHSA-2012-1591.html • CWE-264: Permissions, Privileges, and Access Controls •