← back
CVE-2010-0738

CVE-2010-0738

CVSS 5.3 MEDIUMEPSS 79.4%● KEVCWE-749
In short

The JMX-Console web application in JBoss fails to protect against requests using HTTP methods other than GET and POST, allowing attackers to bypass access controls and reach protected functions.

Technical detail

The JMX-Console application implements access control checks only for GET and POST HTTP methods (CWE-749: Improper Restriction of Rendered UI Layers or Frames). An attacker can bypass these restrictions by sending requests using alternative HTTP methods (e.g., PUT, DELETE, HEAD, OPTIONS) to access the same resources, potentially leading to unauthorized configuration changes or information disclosure.

Summary generated and translated by AI from the official description.
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
n/a · n/a
public PoCs found6
githubgithub.com/gitcollect/jboss-autopwn1githubgithub.com/1872892142/jboss-autopwn-10exploitdbwww.exploit-db.com/exploits/17924unverifiedexploitdbwww.exploit-db.com/exploits/16274unverifiedexploitdbwww.exploit-db.com/exploits/16316unverifiedexploitdbwww.exploit-db.com/exploits/16319unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://marc.info/?l=bugtraq&m=132129312609324&w=2http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=35https://bugzilla.redhat.com/show_bug.cgi?id=574105http://secunia.com/advisories/39563http://securityreason.com/securityalert/8408http://securitytracker.com/id?1023918https://exchange.xforce.ibmcloud.com/vulnerabilities/58147https://rhn.redhat.com/errata/RHSA-2010-0376.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0377.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0378.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0379.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-0738