CVE-2017-12149

🗓️ 04 Oct 2017 20:00:00Reported by redhatType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 1352 Views🌐 WEB

Jboss App Server allows arbitrary code execution via deserialization in HTTP Invoker

Reporter	Title	Published	Views	Family All 45
0day.today	JBOSSAS 5.x/6.x Deserializer Vulnerability	27 Nov 201700:00	–	zdt
GithubExploit	Exploit for Deserialization of Untrusted Data in Redhat Jboss_Enterprise_Application_Platform	22 Dec 201707:30	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Redhat Data_Grid	21 Feb 202005:23	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Redhat Jboss_Enterprise_Application_Platform	1 Jan 202622:35	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Oracle Weblogic_Server	23 Dec 201713:04	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Redhat Jboss_Enterprise_Application_Platform	11 Sep 201714:31	–	githubexploit
Gitee	Exploit for Deserialization of Untrusted Data in Redhat Jboss_Enterprise_Application_Platform	8 Dec 202020:38	–	gitee
Gitee	Exploit for Deserialization of Untrusted Data in Redhat Jboss_Enterprise_Application_Platform	7 Jul 202020:12	–	gitee
Gitee	Exploit for Deserialization of Untrusted Data in Redhat Jboss_Enterprise_Application_Platform	6 May 202015:20	–	gitee
Gitee	Exploit for Argument Injection in Phpmailer_Project Phpmailer	5 Dec 201914:28	–	gitee

NVD

Node

redhat jboss_enterprise_application_platformMatch-text-only

redhat jboss_enterprise_application_platformMatch5.0.0

redhat jboss_enterprise_application_platformMatch5.0.1

redhat jboss_enterprise_application_platformMatch5.1.0

redhat jboss_enterprise_application_platformMatch5.1.1

redhat jboss_enterprise_application_platformMatch5.1.2

redhat jboss_enterprise_application_platformMatch5.2.0

redhat jboss_enterprise_application_platformMatch5.2.1

redhat jboss_enterprise_application_platformMatch5.2.2

[
  {
    "product": "jbossas",
    "vendor": "Red Hat, Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "n/a"
      }
    ]
  }
]

Source	Link
github	www.github.com/gottburgm/Exploits/tree/master/CVE-2017-12149
securityfocus	www.securityfocus.com/bid/100591
access	www.access.redhat.com/errata/RHSA-2018:1608
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/errata/RHSA-2018:1607
cisa	www.cisa.gov/known-exploited-vulnerabilities-catalog

Parameter	Position	Path	Description	CWE
body	request body	/invoker/readonly	Deserialization vulnerability in ReadOnlyAccessFilter of HTTP Invoker allows execution of arbitrary code via crafted serialized data.	CWE-502

17 Jun 2026 01:02Current

9.7High risk

Vulners AI Score9.7

CVSS 27.5

CVSS 3.19.8

EPSS0.90713

SSVC