Information Disclosure

2020-04-1000:42:54

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

jboss AS web console is vulnerable to information disclosure. Unauthenticated access to the JBoss Application Server Web Console (/web-console) is blocked by default. However, it was found that this block was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker could use this flaw to gain access to sensitive information. This release contains a Web Console with an updated configuration that now blocks all unauthenticated access to it by default.

CPENameOperatorVersion
hibernate3eq3.2.4__1.SP1_CP01.0jpp.ep1.1.el5.1
hibernate3eq3.2.4__1.SP1_CP02.0jpp.ep1.1.el5.1
hibernate3eq3.2.4__1.SP1_CP02.0jpp.ep1.1.el4
jboss-seam2eq2.0.2.FP_SEC1__1.ep2.6.el4
jboss-seam2eq2.0.2.FP_SEC1__1.ep2.6.el5
jboss-seam2eq2.0.2.FP_SEC1__1.ep2.3.el5
jboss-seam2eq2.0.2.FP_SEC1__1.ep2.4.el4
jboss-seam2eq2.0.2.FP_SEC1__1.ep2.7.el4
jboss-seam2eq2.0.2.FP_SEC1__1.ep2.7.el5
rh-eap-docseq4.2.0__3.GA_CP02.ep1.1.el5.1

Name	Operator	Version
hibernate3	eq	3.2.4__1.SP1_CP01.0jpp.ep1.1.el5.1
hibernate3	eq	3.2.4__1.SP1_CP02.0jpp.ep1.1.el5.1
hibernate3	eq	3.2.4__1.SP1_CP02.0jpp.ep1.1.el4
jboss-seam2	eq	2.0.2.FP_SEC1__1.ep2.6.el4
jboss-seam2	eq	2.0.2.FP_SEC1__1.ep2.6.el5
jboss-seam2	eq	2.0.2.FP_SEC1__1.ep2.3.el5
jboss-seam2	eq	2.0.2.FP_SEC1__1.ep2.4.el4
jboss-seam2	eq	2.0.2.FP_SEC1__1.ep2.7.el4
jboss-seam2	eq	2.0.2.FP_SEC1__1.ep2.7.el5
rh-eap-docs	eq	4.2.0__3.GA_CP02.ep1.1.el5.1