Vulnerabilities > Redhat > Jboss Enterprise Application Platform
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2013-02-05 | CVE-2013-0218 | Information Exposure vulnerability in Redhat products The GUI installer in JBoss Enterprise Application Platform (EAP) and Enterprise Web Platform (EWP) 5.2.0 and possibly 5.1.2 uses world-readable permissions for the auto-install XML file, which allows local users to obtain the administrator password and the sucker password by reading this file. | 2.1 |
| 2013-02-05 | CVE-2012-5478 | Permissions, Privileges, and Access Controls vulnerability in Redhat products The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly restrict access, which allows remote authenticated users to bypass intended role restrictions and perform arbitrary JMX operations via unspecified vectors. | 4.9 |
| 2013-02-05 | CVE-2012-3370 | Permissions, Privileges, and Access Controls vulnerability in Redhat products The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users. | 5.8 |
| 2013-02-05 | CVE-2012-3369 | Permissions, Privileges, and Access Controls vulnerability in Redhat products The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used. | 4.0 |
| 2013-02-05 | CVE-2012-0034 | Credentials Management vulnerability in Redhat products The NonManagedConnectionFactory in JBoss Enterprise Application Platform (EAP) 5.1.2 and 5.2.0, Web Platform (EWP) 5.1.2 and 5.2.0, and BRMS Platform before 5.3.1 logs the username and password in cleartext when an exception is thrown, which allows local users to obtain sensitive information by reading the log file. | 2.1 |
| 2013-01-05 | CVE-2012-4550 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform 6.0.0 JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, when using role-based authorization for Enterprise Java Beans (EJB) access, does not call the intended authorization modules, which prevents JACC permissions from being applied and allows remote attackers to obtain access to the EJB. | 6.4 |
| 2013-01-05 | CVE-2012-4549 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods. | 5.8 |
| 2012-11-23 | CVE-2012-1167 | Permissions, Privileges, and Access Controls vulnerability in Redhat products The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications. | 4.6 |
| 2012-10-22 | CVE-2012-1154 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform and MOD Cluster mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server, which allows remote attackers to bypass access restrictions and gain access to applications deployed on the root context via unspecified vectors. | 4.3 |
| 2012-01-27 | CVE-2011-4314 | Improper Input Validation vulnerability in multiple products message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. | 5.8 |