Information Disclosure

2020-04-1000:42:53

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

JMX-console is vulnerable to information disclosure. The JMX Console configuration only specified an authentication requirement for requests that used the GET and POST HTTP “verbs”. A remote attacker could create an HTTP request that does not specify GET or POST, causing it to be executed by the default GET handler without authentication. This release contains a JMX Console with an updated configuration that no longer specifies the HTTP verbs. This means that the authentication requirement is applied to all requests.

CPENameOperatorVersion
hibernate3-annotationseq3.2.1__1.patch01.1jpp.ep1.3.el5
hibernate3-annotationseq3.2.1__1.patch02.1jpp.ep1.2.el5.1
hibernate3-annotationseq3.2.1__1.patch02.1jpp.ep1.2.el4
jboss-seameq1.2.1__1.ep1.3.el4
jboss-seameq1.2.1__1.ep1.2.el5
jboss-seameq1.2.1__1.ep1.3.el5
jboss-seameq1.2.0__1.AP.ep1.19.el5
rh-eap-docseq4.2.0__3.GA_CP02.ep1.1.el4
rh-eap-docseq4.2.0__1.ep1.22.el5
rh-eap-docseq4.2.0__3.GA_CP02.ep1.1.el5.1

Name	Operator	Version
hibernate3-annotations	eq	3.2.1__1.patch01.1jpp.ep1.3.el5
hibernate3-annotations	eq	3.2.1__1.patch02.1jpp.ep1.2.el5.1
hibernate3-annotations	eq	3.2.1__1.patch02.1jpp.ep1.2.el4
jboss-seam	eq	1.2.1__1.ep1.3.el4
jboss-seam	eq	1.2.1__1.ep1.2.el5
jboss-seam	eq	1.2.1__1.ep1.3.el5
jboss-seam	eq	1.2.0__1.AP.ep1.19.el5
rh-eap-docs	eq	4.2.0__3.GA_CP02.ep1.1.el4
rh-eap-docs	eq	4.2.0__1.ep1.22.el5
rh-eap-docs	eq	4.2.0__3.GA_CP02.ep1.1.el5.1