CVE-2012-4572

JBoss: custom authorization module implementations shared between applications

Severity Score

9.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control certain applications' authorization decisions via a crafted application.

Red Hat JBoss Enterprise Application Platform (EAP) antes de 6.1.0 y JBoss Portal anteriores a 6.1.0 no carga la implementación de un módulo de autorización personalizado para una nueva aplicación cuando una aplicación está ya cargada y los módulos comparten los nombres de clase, lo que permite a usuarios locales controlar las decisiones de autorización ciertas aplicaciones a través de una aplicación manipulada.

JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for JBoss Enterprise Application Platform 6.0.1, and includes bug fixes and enhancements.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-08-21 CVE Reserved
2013-05-20 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2013-0833.html	2013-10-30
http://rhn.redhat.com/errata/RHSA-2013-0834.html	2013-10-30
http://rhn.redhat.com/errata/RHSA-2013-1437.html	2013-10-30
https://access.redhat.com/security/cve/CVE-2012-4572	2013-10-16
https://bugzilla.redhat.com/show_bug.cgi?id=872059	2013-10-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				<= 6.0.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version " <= 6.0.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.2.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.0.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.1.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.1.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.2"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.2.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.2.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2.2"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Portal Platform Search vendor "Redhat" for product "Jboss Enterprise Portal Platform"				<= 6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Portal Platform" and version " <= 6.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Portal Platform Search vendor "Redhat" for product "Jboss Enterprise Portal Platform"				4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Portal Platform" and version "4.3.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Portal Platform Search vendor "Redhat" for product "Jboss Enterprise Portal Platform"				5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Portal Platform" and version "5.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Portal Platform Search vendor "Redhat" for product "Jboss Enterprise Portal Platform"				5.0.1 Search vendor "Redhat" for product "Jboss Enterprise Portal Platform" and version "5.0.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Portal Platform Search vendor "Redhat" for product "Jboss Enterprise Portal Platform"				5.1.0 Search vendor "Redhat" for product "Jboss Enterprise Portal Platform" and version "5.1.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Portal Platform Search vendor "Redhat" for product "Jboss Enterprise Portal Platform"				5.1.1 Search vendor "Redhat" for product "Jboss Enterprise Portal Platform" and version "5.1.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Portal Platform Search vendor "Redhat" for product "Jboss Enterprise Portal Platform"				5.2.0 Search vendor "Redhat" for product "Jboss Enterprise Portal Platform" and version "5.2.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Portal Platform Search vendor "Redhat" for product "Jboss Enterprise Portal Platform"				5.2.1 Search vendor "Redhat" for product "Jboss Enterprise Portal Platform" and version "5.2.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Portal Platform Search vendor "Redhat" for product "Jboss Enterprise Portal Platform"				5.2.2 Search vendor "Redhat" for product "Jboss Enterprise Portal Platform" and version "5.2.2"		-		Affected