// For flags

CVE-2012-1100

JON: LDAP authentication allows any user access if bind credentials are bad

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Red Hat JBoss Operations Network (JON) 3.0.x before 3.0.1, 2.4.2, and earlier, when LDAP authentication is enabled and the LDAP bind account credentials are invalid, allows remote attackers to login to LDAP-based accounts via an arbitrary password in a login request.

Red Hat JBoss Operations Network (JON) 3.0.x anterior a 3.0.1, 2.4.2 y anteriores, cuando la autenticación LDAP está habilitada y las credenciales de la cuenta LDAP bind no son válidos, permite a atacantes remotos iniciar una sesión en cuentas basadas en LDAP a través de una contraseña arbitraria en una solicitud de inicio de sesión.

JBoss Operations Network is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. A flaw was found in the way LDAP authentication was handled. If the LDAP bind account credentials became invalid, subsequent log in attempts with any password for user accounts created via LDAP were successful. A remote attacker could use this flaw to log into LDAP-based JBoss ON accounts without knowing the correct passwords.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2012-02-14 CVE Reserved
  • 2012-03-19 CVE Published
  • 2024-08-06 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-287: Improper Authentication
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
 Jboss Operations Network
Search vendor "Redhat" for product "Jboss Operations Network"
 <= 2.4.1
Search vendor "Redhat" for product "Jboss Operations Network" and version " <= 2.4.1"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Operations Network
Search vendor "Redhat" for product "Jboss Operations Network"
 2.0.0
Search vendor "Redhat" for product "Jboss Operations Network" and version "2.0.0"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Operations Network
Search vendor "Redhat" for product "Jboss Operations Network"
 2.0.1
Search vendor "Redhat" for product "Jboss Operations Network" and version "2.0.1"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Operations Network
Search vendor "Redhat" for product "Jboss Operations Network"
 2.1.0
Search vendor "Redhat" for product "Jboss Operations Network" and version "2.1.0"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Operations Network
Search vendor "Redhat" for product "Jboss Operations Network"
 2.2
Search vendor "Redhat" for product "Jboss Operations Network" and version "2.2"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Operations Network
Search vendor "Redhat" for product "Jboss Operations Network"
 2.3
Search vendor "Redhat" for product "Jboss Operations Network" and version "2.3"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Operations Network
Search vendor "Redhat" for product "Jboss Operations Network"
 2.3.1
Search vendor "Redhat" for product "Jboss Operations Network" and version "2.3.1"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Operations Network
Search vendor "Redhat" for product "Jboss Operations Network"
 2.4
Search vendor "Redhat" for product "Jboss Operations Network" and version "2.4"
-
Affected
Redhat
Search vendor "Redhat"
 Jboss Operations Network
Search vendor "Redhat" for product "Jboss Operations Network"
 3.0
Search vendor "Redhat" for product "Jboss Operations Network" and version "3.0"
-
Affected