CVE-2014-3472
Security: Invalid EJB caller role check implementation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.
La función isCallerInRole en SimpleSecurityManager en JBoss Application Server (AS) 7, utilizada en Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, no comprueba debidamente los roles de llamadores, lo que permite a usuarios remotos autenticados evadir las restricciones de acceso a través de vectores no especificados.
It was found that the isCallerInRole() method of the SimpleSecurityManager did not correctly check caller roles. A remote, authenticated attacker could use this flaw to circumvent the caller check in applications that use black list access control based on caller roles.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-05-14 CVE Reserved
- 2014-08-07 CVE Published
- 2024-03-31 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-184: Incomplete List of Disallowed Inputs
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/69094 | Vdb Entry | |
https://exchange.xforce.ibmcloud.com/vulnerabilities/95170 | Vdb Entry |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://rhn.redhat.com/errata/RHSA-2014-1019.html | 2017-08-29 | |
http://rhn.redhat.com/errata/RHSA-2014-1020.html | 2017-08-29 | |
http://rhn.redhat.com/errata/RHSA-2014-1021.html | 2017-08-29 | |
http://rhn.redhat.com/errata/RHSA-2015-0720.html | 2017-08-29 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1103815 | 2015-05-14 | |
https://access.redhat.com/security/cve/CVE-2014-3472 | 2015-05-14 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.3.0" | - |
Affected
|