CVE-2014-7853

Subsystem: Information disclosure via incorrect sensitivity classification of attribute

Severity Score

4.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute.

El subsistema JBoss Application Server (WildFly) JacORB en Red Hat JBoss Enterprise Application Platform (EAP) anterior a 6.3.3 no asigna correctamente la configuración de la sensibilidad de las referencias a vinculaciones de sockets al atributo del dominio de seguridad, lo que permite a usuarios remotos autenticados obtener información sensible mediante el aprovechamiento del acceso al atributo del dominio de seguridad.

It was discovered that the JBoss Application Server (WildFly) JacORB subsystem incorrectly assigned socket-binding-ref sensitivity classification for the security-domain attribute. An authenticated user with a role that has access to attributes with socket-binding-ref and not security-domain-ref sensitivity classification could use this flaw to access sensitive information present in the security-domain attribute.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-10-03 CVE Reserved
2015-02-12 CVE Published
2024-08-06 CVE Updated
2024-09-25 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (9)

URL	Tag	Source
http://www.securitytracker.com/id/1031741	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/100891	Vdb Entry

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2015-0215.html	2017-09-08
http://rhn.redhat.com/errata/RHSA-2015-0216.html	2017-09-08
http://rhn.redhat.com/errata/RHSA-2015-0217.html	2017-09-08
http://rhn.redhat.com/errata/RHSA-2015-0218.html	2017-09-08
http://rhn.redhat.com/errata/RHSA-2015-0920.html	2017-09-08
https://access.redhat.com/security/cve/CVE-2014-7853	2015-04-30
https://bugzilla.redhat.com/show_bug.cgi?id=1165522	2015-04-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Jboss Operations Network Search vendor "Redhat" for product "Jboss Operations Network"				3.3.1 Search vendor "Redhat" for product "Jboss Operations Network" and version "3.3.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				<= 6.3.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version " <= 6.3.2"		-		Affected