CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2012-5629 – JBoss: allows empty password to authenticate against LDAP
https://notcve.org/view.php?id=CVE-2012-5629
12 Mar 2013 — The default configuration of the (1) LdapLoginModule and (2) LdapExtLoginModule modules in JBoss Enterprise Application Platform (EAP) 4.3.0 CP10, 5.2.0, and 6.0.1, and Enterprise Web Platform (EWP) 5.2.0 allow remote attackers to bypass authentication via an empty password. La configuración por defecto de los módulos (1) LdapLoginModule y (2) LdapExtLoginModule en JBoss Enterprise Application Platform (EAP)v 4.3.0 CP10, v5.2.0 y v6.0.1 6.0.1, y Enterprise Web Platform (EWP) v5.2.0, permite a atacantes remo... • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=885569 • CWE-264: Permissions, Privileges, and Access Controls CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2012-4549 – AS: EJB authorization succeeds for any role when allowed roles list is empty
https://notcve.org/view.php?id=CVE-2012-4549
05 Jan 2013 — The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods. La función processInvocation en org.jboss.as.ejb3.security.AuthorizationInterceptor en JBoss Enterprise Application Platform (tambien conocido como JBoss EAP o JBE... • http://rhn.redhat.com/errata/RHSA-2012-1591.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 26EXPL: 0CVE-2011-4085 – Invoker servlets authentication bypass (HTTP verb tampering)
https://notcve.org/view.php?id=CVE-2011-4085
23 Nov 2012 — The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression. Los servlets invocados por httpha-invoker en JBoss Enterprise Application Platform anterior a v5.1... • http://rhn.redhat.com/errata/RHSA-2011-1456.html • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 2%CPEs: 9EXPL: 0CVE-2011-4605 – JNDI: unauthenticated remote write access is permitted by default
https://notcve.org/view.php?id=CVE-2011-4605
23 Nov 2012 — The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors. El (1) servicio JNDI, (2) servicio HA-JNDI, y (3) servlet HAJNDIFactory en JBoss Enterp... • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=766469 • CWE-264: Permissions, Privileges, and Access Controls CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 13EXPL: 0CVE-2012-1167 – JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm
https://notcve.org/view.php?id=CVE-2012-1167
23 Nov 2012 — The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications. El JBoss Server en JBoss Enterp... • http://rhn.redhat.com/errata/RHSA-2012-1013.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2009-5066 – JBoss: twiddle.sh accepts credentials as command line arguments, exposing them to other local users via a process listing
https://notcve.org/view.php?id=CVE-2009-5066
13 Aug 2012 — twiddle.sh in JBoss AS 5.0 and EAP 5.0 and earlier accepts credentials as command-line arguments, which allows local users to read the credentials by listing the process and its arguments. twiddle.sh en JBoss AS v5.0 y PEA v5.0 y versiones anteriores acepta credenciales como argumentos de línea de comandos, lo que permite a usuarios locales leer las credenciales al listar el proceso y sus argumentos. • http://objectopia.com/2009/10/01/securing-jmx-invoker-layer-in-jboss • CWE-255: Credentials Management Errors •
CVSS: 8.8EPSS: 1%CPEs: 37EXPL: 0CVE-2011-2196 – JBoss Seam EL interpolation in exception handling
https://notcve.org/view.php?id=CVE-2011-2196
27 Jul 2011 — jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerab... • http://www.redhat.com/support/errata/RHSA-2011-0945.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 1%CPEs: 35EXPL: 0CVE-2011-1484 – JBoss Seam privilege escalation caused by EL interpolation in FacesMessages
https://notcve.org/view.php?id=CVE-2011-1484
27 Jul 2011 — jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. jboss-seam.jar en el framework JBoss Seam 2 2.2.x y versiones ant... • http://www.redhat.com/support/errata/RHSA-2011-0460.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 1%CPEs: 23EXPL: 0CVE-2010-3862 – JBoss Remoting Denial-Of-Service
https://notcve.org/view.php?id=CVE-2010-3862
30 Dec 2010 — The org.jboss.remoting.transport.bisocket.BisocketServerInvoker$SecondaryServerSocketThread.run method in JBoss Remoting 2.2.x before 2.2.3.SP4 and 2.5.x before 2.5.3.SP2 in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 through 4.3.0.CP09, and 5.1.0; and JBoss Enterprise Web Platform (aka JBEWP) 5.1.0; allows remote attackers to cause a denial of service (daemon outage) by establishing a bisocket control connection TCP session, and then not sending any application data. El métod... • http://securitytracker.com/id?1024813 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 23EXPL: 0CVE-2010-4265 – jboss-remoting: missing fix for CVE-2010-3862
https://notcve.org/view.php?id=CVE-2010-4265
30 Dec 2010 — The org.jboss.remoting.transport.bisocket.BisocketServerInvoker$SecondaryServerSocketThread.run method in JBoss Remoting 2.2.x before 2.2.3.SP4 and 2.5.x before 2.5.3.SP2 in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 through 4.3.0.CP09 allows remote attackers to cause a denial of service (daemon outage) by establishing a bisocket control connection TCP session, and then not sending any application data, related to a missing CVE-2010-3862 patch. NOTE: this can be considered a ... • http://securitytracker.com/id?1024840 •