CVE-2017-12167

EAP-7: Wrong privileges on multiple property files

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

It was found in EAP 7 before 7.0.9 that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users logged in to the system.

Se ha detectado en EAP 7 en versiones anteriores a la 7.0.9 que los archivos basados en propiedades de la administración y la configuración del dominio de la aplicación que contienen mapeo de usuario a rol son legibles para todos los usuarios, permitiendo el acceso a la información de usuarios y roles a todos los usuarios conectados al sistema.

It was found that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users logged in to the system.

Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-08-01 CVE Reserved
2017-12-14 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-732: Incorrect Permission Assignment for Critical Resource

CAPEC

References (12)

URL	Tag	Source
http://www.securityfocus.com/bid/100903	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2017:3454	2019-10-09
https://access.redhat.com/errata/RHSA-2017:3455	2019-10-09
https://access.redhat.com/errata/RHSA-2017:3456	2019-10-09
https://access.redhat.com/errata/RHSA-2017:3458	2019-10-09
https://access.redhat.com/errata/RHSA-2018:0002	2019-10-09
https://access.redhat.com/errata/RHSA-2018:0003	2019-10-09
https://access.redhat.com/errata/RHSA-2018:0004	2019-10-09
https://access.redhat.com/errata/RHSA-2018:0005	2019-10-09
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12167	2019-10-09
https://access.redhat.com/security/cve/CVE-2017-12167	2018-01-03
https://bugzilla.redhat.com/show_bug.cgi?id=1491612	2018-01-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"	Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"	7.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.1.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"	-	Safe
Redhat Search vendor "Redhat"	Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"	7.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.1.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"	7.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"	-	Safe
Redhat Search vendor "Redhat"	Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"	7.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"	7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				< 7.0.9 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version " < 7.0.9"		-		Affected