Skip to main content

Jboss Enterprise Web Platform CVE-2012-3369

MEDIUM
Permissions, Privileges, and Access Controls (CWE-264)
2013-02-05 secalert@redhat.com
4.0
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:H/Au:N/C:P/I:P/A:N
Attack Vector
Network
Attack Complexity
High
Confidentiality
P
Integrity
P
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 05, 2013 - 23:55 cve.org
MEDIUM 4.0

DescriptionCVE.org

The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used.

AnalysisAI

The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-264. The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used. Affected products include: Redhat Jboss Enterprise Web Platform, Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Brms Platform. Version information: before 5.2.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2013-2165 HIGH
7.5 Jul 23

ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0

CVE-2012-5575 MEDIUM
6.4 Aug 19

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryp

CVE-2012-5629 HIGH
7.5 Mar 12

The default configuration of the (1) LdapLoginModule and (2) LdapExtLoginModule modules in JBoss Enterprise Application

CVE-2014-0248 MEDIUM
6.8 Jul 07

org.jboss.seam.web.AuthenticationFilter in Red Hat JBoss Web Framework Kit 2.5.0, JBoss Enterprise Application Platform

CVE-2012-3370 MEDIUM
5.8 Feb 05

The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (

CVE-2013-4210 MEDIUM
5.0 Oct 01

The org.jboss.remoting.transport.socket.ServerThread class in Red Hat JBoss Remoting for Red Hat JBoss SOA Platform 5.3.

CVE-2012-5478 MEDIUM
4.9 Feb 05

The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.

CVE-2012-1167 MEDIUM
4.6 Nov 23

The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before

CVE-2012-0034 LOW
2.1 Feb 05

The NonManagedConnectionFactory in JBoss Enterprise Application Platform (EAP) 5.1.2 and 5.2.0, Web Platform (EWP) 5.1.2

CVE-2013-0218 LOW
2.1 Feb 05

The GUI installer in JBoss Enterprise Application Platform (EAP) and Enterprise Web Platform (EWP) 5.2.0 and possibly 5.

Share

CVE-2012-3369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy