Vulnerabilities > Redhat > Jboss Enterprise Application Platform > Medium

DATE CVE VULNERABILITY TITLE RISK
2013-08-16 CVE-2013-4213 Improper Access Control vulnerability in Redhat Jboss Enterprise Application Platform 6.1.0
Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client.
network
low complexity
redhat CWE-284
6.4
2013-08-16 CVE-2013-4128 Configuration vulnerability in Redhat Jboss Enterprise Application Platform 6.1.0
Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by remote-naming, which allows remote attackers to hijack sessions by using a remoting client.
network
low complexity
redhat CWE-16
6.4
2013-07-29 CVE-2011-1483 wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP09, 4.3, and 5.1.1; JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.1; JBoss Enterprise SOA Platform 4.2.CP05, 4.3.CP05, and 5.1.0; JBoss Communications Platform 1.2.11 and 5.1.1; JBoss Enterprise BRMS Platform 5.1.0; and JBoss Enterprise Web Platform 5.1.1 does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.
network
low complexity
redhat hp
5.0
2013-02-05 CVE-2012-5478 Permissions, Privileges, and Access Controls vulnerability in Redhat products
The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly restrict access, which allows remote authenticated users to bypass intended role restrictions and perform arbitrary JMX operations via unspecified vectors.
network
redhat CWE-264
4.9
2013-02-05 CVE-2012-3370 Permissions, Privileges, and Access Controls vulnerability in Redhat products
The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users.
network
redhat CWE-264
5.8
2013-02-05 CVE-2012-3369 Permissions, Privileges, and Access Controls vulnerability in Redhat products
The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used.
network
high complexity
redhat CWE-264
4.0
2013-01-05 CVE-2012-4550 Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform 6.0.0
JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, when using role-based authorization for Enterprise Java Beans (EJB) access, does not call the intended authorization modules, which prevents JACC permissions from being applied and allows remote attackers to obtain access to the EJB.
network
low complexity
redhat CWE-264
6.4
2013-01-05 CVE-2012-4549 Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform
The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.
network
redhat CWE-264
5.8
2012-11-23 CVE-2012-1167 Permissions, Privileges, and Access Controls vulnerability in Redhat products
The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications.
network
high complexity
redhat CWE-264
4.6
2012-10-22 CVE-2012-1154 Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform and MOD Cluster
mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server, which allows remote attackers to bypass access restrictions and gain access to applications deployed on the root context via unspecified vectors.
network
redhat CWE-264
4.3