Main Vulnerability Database Vulnerabilities #VU43213

Permissions, Privileges, and Access Controls in JBoss Enterprise Application Platform - CVE-2012-4549

Published: January 5, 2013 / Updated: August 11, 2020

Vulnerability identifier: #VU43213

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2012-4549

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
JBoss Enterprise Application Platform

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.

How to mitigate CVE-2012-4549

Install update from vendor's website.

Permissions, Privileges, and Access Controls in JBoss Enterprise Application Platform - CVE-2012-4549

Detailed vulnerability description

How to mitigate CVE-2012-4549

Sources

Please verify you're human