CVE-2012-4549

2013-01-0500:55:02

CWE-264

[email protected]

web.nvd.nist.gov

jboss

eap

jbeap

authorizationinterceptor

cve-2012-4549

security vulnerability

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.4 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

56.1%

JSON

The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.

Affected configurations

NVD

Node

redhatjboss_enterprise_application_platformRange≤6.0.0

redhatjboss_enterprise_application_platformMatch4.2.0

redhatjboss_enterprise_application_platformMatch4.3.0

redhatjboss_enterprise_application_platformMatch5.0.0

redhatjboss_enterprise_application_platformMatch5.0.1

redhatjboss_enterprise_application_platformMatch5.1.0

redhatjboss_enterprise_application_platformMatch5.1.1

redhatjboss_enterprise_application_platformMatch5.1.2

redhatjboss_enterprise_application_platformMatch5.2.0

redhatjboss_enterprise_application_platformMatch5.2.1

redhatjboss_enterprise_application_platformMatch5.2.2

CPENameOperatorVersion
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformle6.0.0
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq4.2.0
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq4.3.0
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq5.0.0
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq5.0.1
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq5.1.0
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq5.1.1
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq5.1.2
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq5.2.0
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq5.2.1

CPE	Name	Operator	Version
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	le	6.0.0
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	4.2.0
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	4.3.0
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	5.0.0
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	5.0.1
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	5.1.0
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	5.1.1
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	5.1.2
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	5.2.0
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	5.2.1