CVE-2012-4549
Jboss enterprise application platform: org.jboss.as.ejb3: jboss enterprise application platform: access restriction bypass via improper ejb method authorization
A flaw was found in JBoss Enterprise Application Platform. The `processInvocation` function within the `org.jboss.as.ejb3.security.AuthorizationInterceptor` component incorrectly authorizes all requests when no roles are defined for an Enterprise Java Beans (EJB) method invocation. This allows attackers to bypass intended access restrictions for EJB methods, leading to unauthorized access to sensitive functionalities.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Productos afectados
Red Hat · Red Hat JBoss Enterprise Application Platform 6.0Red Hat · Red Hat JBoss Enterprise Application Platform 6 for RHEL 5Red Hat · Red Hat JBoss Enterprise Application Platform 6 for RHEL 6Red Hat · Red Hat JBoss Enterprise Application Platform 7Red Hat · Red Hat JBoss Enterprise Application Platform 8Red Hat · Red Hat JBoss Enterprise Application Platform Expansion Pack¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
http://rhn.redhat.com/errata/RHSA-2012-1591.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1592.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1594.htmlhttps://access.redhat.com/errata/RHSA-2012:1591https://access.redhat.com/errata/RHSA-2012:1592https://access.redhat.com/errata/RHSA-2012:1594https://access.redhat.com/security/cve/CVE-2012-4549http://secunia.com/advisories/51607