CVE-2012-0052 – JON: Unapproved agents can connect using the name of an existing approved agent
https://notcve.org/view.php?id=CVE-2012-0052
Red Hat JBoss Operations Network (JON) before 2.4.2 and 3.0.x before 3.0.1 does not check the JON agent key, which allows remote attackers to spoof the identity of arbitrary agents via the registered agent name. Red Hat JBoss Operations Network (JON) anterior a 2.4.2 y 3.0.x anterior a 3.0.1 no comprueba la clave del agente JON, lo que permite a atacantes remotos falsificar la identidad de agentes arbitrarios a través del nombre del agente registrado. • http://rhn.redhat.com/errata/RHSA-2012-0089.html http://rhn.redhat.com/errata/RHSA-2012-0406.html https://bugzilla.redhat.com/show_bug.cgi?id=781964 https://access.redhat.com/security/cve/CVE-2012-0052 • CWE-20: Improper Input Validation •
CVE-2012-0062 – JON: Unapproved agents can hijack an approved agent's endpoint by using a null security token
https://notcve.org/view.php?id=CVE-2012-0062
Red Hat JBoss Operations Network (JON) before 2.4.2 and 3.0.x before 3.0.1 allows remote attackers to hijack agent sessions via an agent registration request without a security token. Red Hat JBoss Operations Network (JON) anterior a 2.4.2 y 3.0.x anterior a 3.0.1 permite a atacantes remotos secuestrar sesiones de agente a través de una solicitud de registro de agente sin un token de seguridad. • http://rhn.redhat.com/errata/RHSA-2012-0089.html http://rhn.redhat.com/errata/RHSA-2012-0406.html https://bugzilla.redhat.com/show_bug.cgi?id=783008 https://access.redhat.com/security/cve/CVE-2012-0062 • CWE-287: Improper Authentication •
CVE-2011-4573 – JON: Incorrect delete permissions check
https://notcve.org/view.php?id=CVE-2011-4573
Red Hat JBoss Operations Network (JON) before 2.4.2 does not properly enforce "modify resource" permissions for remote authenticated users when deleting a plug-in configuration update from the group connection properties history, which prevents such activities from being recorded in the audit trail. Red Hat JBoss Operations Network (JON) anterior a 2.4.2 no fuerza debidamente permisos de modificar recurso para usuarios remotos autenticados cuando elimina una actualización de configuración de plugin del historial de propiedades de conexión de grupo, lo que previene tales actividades de ser registradas en el registro de auditoría. • http://rhn.redhat.com/errata/RHSA-2012-0089.html https://bugzilla.redhat.com/show_bug.cgi?id=760024 https://access.redhat.com/security/cve/CVE-2011-4573 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2011-3206 – JON: Multiple XSS flaws
https://notcve.org/view.php?id=CVE-2011-3206
Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in RHQ 4.2.0, as used in JBoss Operations Network (aka JON or JBoss ON) before 3.0, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en la interfaz de administración de RHQ v4.2.0, tal y como se utiliza en JBoss Operations Network (también conocido como Jon o JBoss ON) antes de la versión v3.0, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://rhn.redhat.com/errata/RHSA-2012-0089.html http://secunia.com/advisories/47197 http://secunia.com/advisories/47280 http://securitytracker.com/id?1026435 https://bugzilla.redhat.com/show_bug.cgi?id=734662 https://access.redhat.com/security/cve/CVE-2011-3206 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •