← voltar
CVE-2012-4549

Jboss enterprise application platform: org.jboss.as.ejb3: jboss enterprise application platform: access restriction bypass via improper ejb method authorization

CVSS 6.5 MEDIUMEPSS 1.3%CWE-266
A flaw was found in JBoss Enterprise Application Platform. The `processInvocation` function within the `org.jboss.as.ejb3.security.AuthorizationInterceptor` component incorrectly authorizes all requests when no roles are defined for an Enterprise Java Beans (EJB) method invocation. This allows attackers to bypass intended access restrictions for EJB methods, leading to unauthorized access to sensitive functionalities.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Produtos afetados
Red Hat · Red Hat JBoss Enterprise Application Platform 6.0Red Hat · Red Hat JBoss Enterprise Application Platform 6 for RHEL 5Red Hat · Red Hat JBoss Enterprise Application Platform 6 for RHEL 6Red Hat · Red Hat JBoss Enterprise Application Platform 7Red Hat · Red Hat JBoss Enterprise Application Platform 8Red Hat · Red Hat JBoss Enterprise Application Platform Expansion Pack

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
http://rhn.redhat.com/errata/RHSA-2012-1591.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1592.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1594.htmlhttps://access.redhat.com/errata/RHSA-2012:1591https://access.redhat.com/errata/RHSA-2012:1592https://access.redhat.com/errata/RHSA-2012:1594https://access.redhat.com/security/cve/CVE-2012-4549http://secunia.com/advisories/51607