WS: EJB3 role restrictions are not applied to jaxws handlers

A flaw was found in the way method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers, and only class-level restrictions were applied. A remote attack...

ejb-client: Session fixation due improper connection caching

Red Hat JBoss Enterprise Application Platform EAP 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client...

Input validation

The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform aka JBoss EAP or JBEAP before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans EJB method invocation, which allows attackers to bypas...

JBoss Enterprise Application Platform: org.jboss.as.ejb3: JBoss Enterprise Application Platform: Access restriction bypass via improper EJB method authorization

A flaw was found in JBoss Enterprise Application Platform. The processInvocation function within the org.jboss.as.ejb3.security.AuthorizationInterceptor component incorrectly authorizes all requests when no roles are defined for an Enterprise Java Beans EJB method invocation. This allows attacker...

JBoss Enterprise Application Platform: org.jboss.as.ejb3: JBoss Enterprise Application Platform: Access restriction bypass via improper EJB method authorization

A flaw was found in JBoss Enterprise Application Platform. The processInvocation function within the org.jboss.as.ejb3.security.AuthorizationInterceptor component incorrectly authorizes all requests when no roles are defined for an Enterprise Java Beans EJB method invocation. This allows attacker...

EJBCA 4.0.7 Cross Site Scripting / User Enumeration

Hello list! I want to warn you about multiple security vulnerabilities in Enterprise Java Beans Certificate Authority EJBCA. These are Cross-Site Scripting, Brute Force and Abuse of Functionality vulnerabilities. EJBCA it's a PKI server. Citation from official web site: A Certification Authority...