CVE-2010-1428
CVE-2010-1428
In short
JBoss Web Console fails to protect sensitive information from requests using HTTP methods other than GET and POST, allowing attackers to bypass security controls and access restricted data.
Technical detail
The Web Console in JBoss EAP 4.2 and 4.3 implements access control only for GET and POST HTTP methods, leaving other methods (e.g., HEAD, OPTIONS, TRACE) unprotected. An unauthenticated remote attacker can exploit this incomplete method validation to retrieve sensitive information by crafting requests with alternative HTTP verbs.
Summary generated and translated by AI from the official description.
The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://marc.info/?l=bugtraq&m=132698550418872&w=2https://bugzilla.redhat.com/show_bug.cgi?id=585899http://secunia.com/advisories/39563http://securitytracker.com/id?1023917https://exchange.xforce.ibmcloud.com/vulnerabilities/58148https://rhn.redhat.com/errata/RHSA-2010-0376.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0377.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0378.htmlhttps://rhn.redhat.com/errata/RHSA-2010-0379.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-1428http://www.securityfocus.com/bid/39710http://www.vupen.com/english/advisories/2010/0992