CVE-2012-5626

EJB method in Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 5; Red Hat JBoss Operations Network 3.1; Red Hat JBoss Portal 4 and 5; Red Hat JBoss SOA Platform 4.2, 4.3, and 5; in Red Hat JBoss Enterprise Web Server 1 ignores roles specified using the @RunAs annotation...

CVE-2012-5626

EJB method in Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 5; Red Hat JBoss Operations Network 3.1; Red Hat JBoss Portal 4 and 5; Red Hat JBoss SOA Platform 4.2, 4.3, and 5; in Red Hat JBoss Enterprise Web Server 1 ignores roles specified using the @RunAs annotation...

Design/Logic Flaw

EJB method in Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 5; Red Hat JBoss Operations Network 3.1; Red Hat JBoss Portal 4 and 5; Red Hat JBoss SOA Platform 4.2, 4.3, and 5; in Red Hat JBoss Enterprise Web Server 1 ignores roles specified using the @RunAs annotation...

CVE-2012-4549

A flaw was found in JBoss Enterprise Application Platform. The processInvocation function within the org.jboss.as.ejb3.security.AuthorizationInterceptor component incorrectly authorizes all requests when no roles are defined for an Enterprise Java Beans EJB method invocation. This allows attacker...

JBoss Enterprise Application Platform 安全绕过漏洞(CVE-2012-4549)

Bugtraq ID:56990 CVE ID:CVE-2012-4549 JBOSS是一个基于J2EE的开放源代码的应用服务器。 在不允许任何角色调用EJB方法时，需要拒绝所有用户的调用。当允许角色列表为空时，org.jboss.as.ejb3.security.AuthorizationInterceptor中的processInvocation方法不正确授权方法调用，允许攻击者绕过安全限制执行未授权操作。 0 JBoss Enterprise Application Platform 6 厂商解决方案 JBoss Enterprise Application Platform...