CVE-2012-0874

2013-02-0523:55:00

CWE-287

[email protected]

web.nvd.nist.gov

102

In Wild

cve-2012-0874

jboss

eap

ewp

brms

soa

remote code execution

6.6 Medium

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.058 Low

EPSS

Percentile

93.3%

JSON

The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a “second layer of authentication,” or when used in conjunction with other vulnerabilities that bypass this second layer.

CPENameOperatorVersion
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq5.2.0
redhat:jboss_enterprise_web_platformredhat jboss enterprise web platformeq5.2.0
redhat:jboss_enterprise_brms_platformredhat jboss enterprise brms platformle5.3.0

CPE	Name	Operator	Version
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	5.2.0
redhat:jboss_enterprise_web_platform	redhat jboss enterprise web platform	eq	5.2.0
redhat:jboss_enterprise_brms_platform	redhat jboss enterprise brms platform	le	5.3.0