CVE-2020-14299
picketbox: JBoss EAP reload to admin-only mode allows authentication bypass
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability.
Se encontró un fallo en JBoss EAP, donde la configuración de autenticación se configura usando un SecurityRealm heredado, para delegarlo en un SecurityDomain PicketBox heredado, y luego se vuelve a cargar al modo de solo administrador. Este fallo permite a un atacante llevar a cabo una omisión de autenticación completa mediante el uso de un usuario y una contraseña arbitrarios. La mayor amenaza a la vulnerabilidad es la disponibilidad del sistema
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-17 CVE Reserved
- 2020-10-13 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1848533 | 2020-10-27 | |
https://access.redhat.com/security/cve/CVE-2020-14299 | 2020-12-16 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | < 5.0.3 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version " < 5.0.3" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Openshift Application Runtimes Search vendor "Redhat" for product "Openshift Application Runtimes" | - | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | 7.0 Search vendor "Redhat" for product "Single Sign-on" and version "7.0" | - |
Affected
|