CVE-2012-4529
Web: jsessionid exposed via encoded url when using cookie based session tracking
Severity Score
4.3
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.
El método org.apache.catalina.connector.Response.encodeURL en Red Hat JBoss Web 7.1.x y anteriores, cuando el modo de traceo está fijado a COOKIE, envia el parámetro jsessionid en la URL de la primera respuesta de una sesion, lo que permite a atacantes remotos obtener el id de sesion a treves de un ataque man-in-the-middle o leyendo un log
JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for JBoss Enterprise Application Platform 6.0.1, and includes bug fixes and enhancements.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2012-08-21 CVE Reserved
- 2013-05-20 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://ocpsoft.org/support/topic/session-id-is-appended-as-url-path-parameter-in-very-first-request | X_refsource_misc | |
| https://issues.jboss.org/browse/JBWEB-249 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2013-0833.html | 2013-10-30 | |
| http://rhn.redhat.com/errata/RHSA-2013-0834.html | 2013-10-30 | |
| http://rhn.redhat.com/errata/RHSA-2013-0839.html | 2013-10-30 | |
| http://rhn.redhat.com/errata/RHSA-2013-1437.html | 2013-10-30 | |
| https://access.redhat.com/security/cve/CVE-2012-4529 | 2013-10-16 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=868202 | 2013-10-16 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Community Application Server Search vendor "Redhat" for product "Jboss Community Application Server" | <= 7.1.1 Search vendor "Redhat" for product "Jboss Community Application Server" and version " <= 7.1.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Community Application Server Search vendor "Redhat" for product "Jboss Community Application Server" | 5.0.0 Search vendor "Redhat" for product "Jboss Community Application Server" and version "5.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Community Application Server Search vendor "Redhat" for product "Jboss Community Application Server" | 5.0.1 Search vendor "Redhat" for product "Jboss Community Application Server" and version "5.0.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Community Application Server Search vendor "Redhat" for product "Jboss Community Application Server" | 5.1.0 Search vendor "Redhat" for product "Jboss Community Application Server" and version "5.1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Community Application Server Search vendor "Redhat" for product "Jboss Community Application Server" | 6.0.0 Search vendor "Redhat" for product "Jboss Community Application Server" and version "6.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Community Application Server Search vendor "Redhat" for product "Jboss Community Application Server" | 6.1.0 Search vendor "Redhat" for product "Jboss Community Application Server" and version "6.1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Community Application Server Search vendor "Redhat" for product "Jboss Community Application Server" | 7.0.0 Search vendor "Redhat" for product "Jboss Community Application Server" and version "7.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Community Application Server Search vendor "Redhat" for product "Jboss Community Application Server" | 7.0.1 Search vendor "Redhat" for product "Jboss Community Application Server" and version "7.0.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Community Application Server Search vendor "Redhat" for product "Jboss Community Application Server" | 7.0.2 Search vendor "Redhat" for product "Jboss Community Application Server" and version "7.0.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Community Application Server Search vendor "Redhat" for product "Jboss Community Application Server" | 7.1.0 Search vendor "Redhat" for product "Jboss Community Application Server" and version "7.1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0" | - |
Affected
| ||||||