Page 6 of 28 results (0.006 seconds)

CVSS: 6.8EPSS: 2%CPEs: 26EXPL: 0

CVE-2011-4085 – Invoker servlets authentication bypass (HTTP verb tampering)

https://notcve.org/view.php?id=CVE-2011-4085

The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression. Los servlets invocados por httpha-invoker en JBoss Enterprise Application Platform anterior a v5.1.2, SOA Platform anterior a v5.2.0, BRMS Platform anterior a v5.3.0, y Portal Platform anterior a v4.3 CP07 lleva a cabo el control de acceso sólo para los métodos GET y POST, lo que permite a atacantes remotos evitar la autenticación mediante el envío de una solicitud con un método diferente. NOTA: esta vulnerabilidad se debe a CVE-2010-0738 • http://rhn.redhat.com/errata/RHSA-2011-1456.html http://rhn.redhat.com/errata/RHSA-2011-1798.html http://rhn.redhat.com/errata/RHSA-2011-1799.html http://rhn.redhat.com/errata/RHSA-2011-1800.html http://rhn.redhat.com/errata/RHSA-2011-1805.html http://rhn.redhat.com/errata/RHSA-2011-1822.html http://rhn.redhat.com/errata/RHSA-2012-0091.html http://rhn.redhat.com/errata/RHSA-2012-1028.html http://secunia.com/advisories/47169 http://secunia.com/advisories • CWE-287: Improper Authentication •

CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 1

CVE-2010-1429 – JBossEAP status servlet info leak

https://notcve.org/view.php?id=CVE-2010-1429

Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression. Plataforma de aplicación Red Hat JBoss Enterprise (conocido como JBoss EAP r JBEAP) v4.2 anterior v4.2.0.CP09 y v4.3 anterior v4.3.0.CP08 permite a atacantes remotos obtener información sensible "deployed web contexts" (Contextos web desarrollados) a través de peticiones a servlet de estado, como quedo demostrado con una petición de cadena con full=true. NOTA: esta vulnerabilidad está provocada por una regresión del CVE-2008-3273. JBoss versions 4.2.x and 4.3.x suffer from an information disclosure vulnerability. • http://marc.info/?l=bugtraq&m=132698550418872&w=2 http://secunia.com/advisories/39563 http://securitytracker.com/id?1023918 http://www.securityfocus.com/bid/39710 http://www.vupen.com/english/advisories/2010/0992 https://bugzilla.redhat.com/show_bug.cgi?id=585900 https://exchange.xforce.ibmcloud.com/vulnerabilities/58149 https://rhn.redhat.com/errata/RHSA-2010-0376.html https://rhn.redhat.com/errata/RHSA-2010-0377.html https://rhn.redhat.com/errata/RHSA-2010-0378.html • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0

CVE-2008-3519 – JBossEAP allows download of non-EJB class files

https://notcve.org/view.php?id=CVE-2008-3519

The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the DownloadServerClasses property to true, which allows remote attackers to obtain sensitive information (non-EJB classes) via a download request, a different vulnerability than CVE-2008-3273. La configuración por defecto del componente JBossAs en Red Hat JBoss Enterprise Application Platform (también conocido como JBossEAP o EAP), posiblemente v4.2 anterior a CP04 y v4.3 anterior a CP02, cuando el entorno de producción está activado, establece la propiedad "DownloadServerClasses" a "true", lo que permite a atacantes remotos obtener información sensible (clases no-EJB) a través de una petición de descarga. Un a vulnerabilidad distinta de CVE-2008-3273. • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=458823 http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp04/html-single/readme/index.html http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp02/html-single/readme/index.html http://www.redhat.com/support/errata/RHSA-2008-0831.html http://www.redhat.com/support/errata/RHSA-2008-0832.html http://www.redhat.com/support/errata/RHSA-2008-0833.html http://www.redhat.c • CWE-16: Configuration •