CVE-2014-0005
PicketBox/JBossSX: Unauthorized access to and modification of application server configuration and state by application
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 and JBoss BRMS before 6.0.3 roll up patch 2, allows remote authenticated users to read and modify the application sever configuration and state by deploying a crafted application.
PicketBox y JBossSX, utilizado en Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 y JBoss BRMS anterior a 6.0.3 roll up patch 2, permite a usuarios remotos autenticados leer y modificar la configuración y estado del servidor de la aplicación mediante el despliegue de una aplicación manipulada.
It was identified that PicketBox/JBossSX allowed any deployed application to alter or read the underlying application server configuration and state without any authorization checks. An attacker able to deploy applications could use this flaw to circumvent security constraints applied to other applications deployed on the same system, disclose privileged information, and in certain cases allow arbitrary code execution.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-12-03 CVE Reserved
- 2015-02-17 CVE Published
- 2024-08-06 CVE Updated
- 2024-08-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-862: Missing Authorization
CAPEC
References (8)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2014-0343.html | 2015-03-28 | |
| http://rhn.redhat.com/errata/RHSA-2014-0344.html | 2015-03-28 | |
| http://rhn.redhat.com/errata/RHSA-2014-0345.html | 2015-03-28 | |
| http://rhn.redhat.com/errata/RHSA-2015-0234.html | 2015-03-28 | |
| http://rhn.redhat.com/errata/RHSA-2015-0235.html | 2015-03-28 | |
| http://rhn.redhat.com/errata/RHSA-2015-0720.html | 2015-03-28 | |
| https://access.redhat.com/security/cve/CVE-2014-0005 | 2015-05-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1049736 | 2015-05-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.2.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.2.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Brms Platform Search vendor "Redhat" for product "Jboss Enterprise Brms Platform" | <= 6.0.3 Search vendor "Redhat" for product "Jboss Enterprise Brms Platform" and version " <= 6.0.3" | - |
Affected
| ||||||