Permissions, Privileges, and Access Controls in JBoss Enterprise Application Platform - CVE-2012-4550
Published: January 5, 2013 / Updated: August 11, 2020
Vulnerability identifier: #VU43214
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2012-4550
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
JBoss Enterprise Application Platform
JBoss Enterprise Application Platform
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, when using role-based authorization for Enterprise Java Beans (EJB) access, does not call the intended authorization modules, which prevents JACC permissions from being applied and allows remote attackers to obtain access to the EJB. Per https://bugzilla.redhat.com/show_bug.cgi?id=870871#c7 "This issue did not affect JBoss Enterprise Application Platform versions 4.x and 5.x."
How to mitigate CVE-2012-4550
Install update from vendor's website.