CVE-2011-4085
Invoker servlets authentication bypass (HTTP verb tampering)
Severity Score
6.8
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression.
Los servlets invocados por httpha-invoker en JBoss Enterprise Application Platform anterior a v5.1.2, SOA Platform anterior a v5.2.0, BRMS Platform anterior a v5.3.0, y Portal Platform anterior a v4.3 CP07 lleva a cabo el control de acceso sólo para los métodos GET y POST, lo que permite a atacantes remotos evitar la autenticación mediante el envío de una solicitud con un método diferente. NOTA: esta vulnerabilidad se debe a CVE-2010-0738
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2011-10-18 CVE Reserved
- 2011-11-17 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
CAPEC
References (12)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2011-1456.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2011-1798.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2011-1799.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2011-1800.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2011-1805.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2011-1822.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2012-0091.html | 2023-11-07 | |
| http://rhn.redhat.com/errata/RHSA-2012-1028.html | 2023-11-07 | |
| http://secunia.com/advisories/47169 | 2023-11-07 | |
| http://secunia.com/advisories/47866 | 2023-11-07 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=750422 | 2012-06-22 | |
| https://access.redhat.com/security/cve/CVE-2011-4085 | 2012-06-22 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | <= 5.1.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version " <= 5.1.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.0.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | <= 5.1.1 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version " <= 5.1.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.2.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.2.0" | cp01 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.2.0" | cp02 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.2.0" | cp03 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.2.0" | cp04 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.2.0" | cp05 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.2.0" | tp02 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.3.0" | cp01 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.3.0" | cp02 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.3.0" | cp03 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.3.0" | cp04 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "4.3.0" | cp05 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "5.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 5.0.1 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "5.0.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 5.0.2 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "5.0.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 5.1.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "5.1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Brms Platform Search vendor "Redhat" for product "Jboss Enterprise Brms Platform" | <= 5.2.0 Search vendor "Redhat" for product "Jboss Enterprise Brms Platform" and version " <= 5.2.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Portal Platform Search vendor "Redhat" for product "Jboss Enterprise Portal Platform" | <= 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Portal Platform" and version " <= 4.3.0" | - |
Affected
| ||||||