Page 8 of 37 results (0.002 seconds)

CVSS: 5.0EPSS: 0%CPEs: 10EXPL: 0

The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request. El manejador de solicitudes de JBossWS en JBoss Enterprise Application Platform (alias JBoss o JBEAP PEA) 4.2 antes de 4.2.0.CP06 y 4.3 antes de 4.3.0.CP04 no valida la ruta durante una petición de un archivo WSDL con un punto final del web-service propio, lo que permite a atacantes remotos leer archivos XML arbitrarios a través de una solicitud debidamente modificada. • http://rhn.redhat.com/errata/RHSA-2009-0346.html http://rhn.redhat.com/errata/RHSA-2009-0347.html http://rhn.redhat.com/errata/RHSA-2009-0348.html http://rhn.redhat.com/errata/RHSA-2009-0349.html http://secunia.com/advisories/34112 http://www.securityfocus.com/bid/34023 http://www.securitytracker.com/id?1021817 https://bugzilla.redhat.com/show_bug.cgi?id=479668 https://jira.jboss.org/jira/browse/JBPAPP-1548 https://access.redhat.com/security/cve/CVE-2009-0027 • CWE-20: Improper Input Validation •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0

The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the DownloadServerClasses property to true, which allows remote attackers to obtain sensitive information (non-EJB classes) via a download request, a different vulnerability than CVE-2008-3273. La configuración por defecto del componente JBossAs en Red Hat JBoss Enterprise Application Platform (también conocido como JBossEAP o EAP), posiblemente v4.2 anterior a CP04 y v4.3 anterior a CP02, cuando el entorno de producción está activado, establece la propiedad "DownloadServerClasses" a "true", lo que permite a atacantes remotos obtener información sensible (clases no-EJB) a través de una petición de descarga. Un a vulnerabilidad distinta de CVE-2008-3273. • http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=458823 http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp04/html-single/readme/index.html http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp02/html-single/readme/index.html http://www.redhat.com/support/errata/RHSA-2008-0831.html http://www.redhat.com/support/errata/RHSA-2008-0832.html http://www.redhat.com/support/errata/RHSA-2008-0833.html http://www.redhat.c • CWE-16: Configuration •