Jboss Enterprise Application Platform
CVE-2012-3370
MEDIUM
Severity by source
AV:N/AC:M/Au:N/C:P/I:P/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
AV:N/AC:M/Au:N/C:P/I:P/A:N
Lifecycle Timeline
1DescriptionCVE.org
The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users.
AnalysisAI
The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-264. The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users. Affected products include: Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Web Platform, Redhat Jboss Enterprise Brms Platform. Version information: before 5.2.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denia
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Lo
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'D
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which al
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to caus
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malici
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today