CVE-2012-4549
AS: EJB authorization succeeds for any role when allowed roles list is empty
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.
La función processInvocation en org.jboss.as.ejb3.security.AuthorizationInterceptor en JBoss Enterprise Application Platform (tambien conocido como JBoss EAP o JBEAP) anteriores a v6.0.1, autoriza todas las peticiones cuando no están permitidos los roles para la invocación del método Enterprise Java Beans (EJB), lo que permite a atacantes remotos evitar las restricciones impuestas a los métodos EJB.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2012-08-21 CVE Reserved
- 2012-12-19 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (6)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://rhn.redhat.com/errata/RHSA-2012-1591.html | 2013-01-15 | |
http://rhn.redhat.com/errata/RHSA-2012-1592.html | 2013-01-15 | |
http://rhn.redhat.com/errata/RHSA-2012-1594.html | 2013-01-15 | |
http://secunia.com/advisories/51607 | 2013-01-15 | |
https://access.redhat.com/security/cve/CVE-2012-4549 | 2012-12-18 | |
https://bugzilla.redhat.com/show_bug.cgi?id=870868 | 2012-12-18 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | <= 6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version " <= 6.0.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.0.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.1" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.1.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.1" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.1.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.2" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.2.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2.1" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.2.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2.2" | - |
Affected
|