CVE-2007-1354
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Access Control functionality (JMXOpsAccessControlFilter) in JMX Console in JBoss Application Server 4.0.2 and 4.0.5 before 20070416 uses a member variable to store the roles of the current user, which allows remote authenticated administrators to trigger a race condition and gain privileges by logging in during a session by a more privileged administrator, as demonstrated by privilege escalation from Read Mode to Write Mode.
La funcionalidad Control de Acceso (JMXOpsAccessControlFilter) en JMX Console de JBoss Application Server 4.0.2 y 4.0.5 versiones anteriores a 20070416 utiliza una variable miembro para almacenar los roles del usuario actual, lo cual permite a administradores remotos autenticados disparar una condición de carrera y obtener privilegios al identificarse en una sesión, por los de otro administrador con más privilegios, como se demuestra con un escalado de privilegios de Modo Lectura a Modo Escritura.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2007-03-08 CVE Reserved
- 2007-07-27 CVE Published
- 2024-05-30 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
http://osvdb.org/46765 | Vdb Entry |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://jira.jboss.com/jira/browse/ASPATCH-172 | 2008-11-13 | |
http://jira.jboss.com/jira/browse/ASPATCH-175 | 2008-11-13 | |
http://rhn.redhat.com/errata/RHSA-2007-0151.html | 2008-11-13 | |
http://www.redhat.com/archives/jboss-watch-list/2007-April/msg00000.html | 2008-11-13 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2007-1354 | 2007-04-16 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1618298 | 2007-04-16 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jboss Search vendor "Jboss" | Jboss Application Server Search vendor "Jboss" for product "Jboss Application Server" | 4.0.2.ga_cp02 Search vendor "Jboss" for product "Jboss Application Server" and version "4.0.2.ga_cp02" | - |
Affected
| ||||||
Jboss Search vendor "Jboss" | Jboss Application Server Search vendor "Jboss" for product "Jboss Application Server" | 4.0.2.ga_cp03 Search vendor "Jboss" for product "Jboss Application Server" and version "4.0.2.ga_cp03" | - |
Affected
| ||||||
Jboss Search vendor "Jboss" | Jboss Application Server Search vendor "Jboss" for product "Jboss Application Server" | 4.0.2.ga_cp04 Search vendor "Jboss" for product "Jboss Application Server" and version "4.0.2.ga_cp04" | - |
Affected
| ||||||
Jboss Search vendor "Jboss" | Jboss Application Server Search vendor "Jboss" for product "Jboss Application Server" | 4.0.5.ga Search vendor "Jboss" for product "Jboss Application Server" and version "4.0.5.ga" | - |
Affected
| ||||||
Jboss Search vendor "Jboss" | Jboss Application Server Search vendor "Jboss" for product "Jboss Application Server" | 4.0.5_cp01 Search vendor "Jboss" for product "Jboss Application Server" and version "4.0.5_cp01" | - |
Affected
| ||||||
Jboss Search vendor "Jboss" | Jboss Application Server Search vendor "Jboss" for product "Jboss Application Server" | 4.0.5_cp02 Search vendor "Jboss" for product "Jboss Application Server" and version "4.0.5_cp02" | - |
Affected
|