This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.
The remote web server has an authentication bypass vulnerability.
The version of JBoss Enterprise Application Platform (EAP) running on
the remote host allows unauthenticated access to documents under the
/jmx-console directory. This is due to a misconfiguration in web.xml
which only requires authentication for GET and POST requests.
Specifying a different verb such as HEAD, DELETE, or PUT causes the
default GET handler to be used without authentication.
A remote, unauthenticated attacker could exploit this by deploying a
malicious .war file, resulting in arbitrary code execution.
This version of JBoss EAP likely has other vulnerabilities (refer to
Nessus plugins 33869 and 46181).
See also :
Upgrade to JBoss EAP version 4.2.0.CP09 / 4.3.0.CP08 or later.
If a non-vulnerable version of the software is being used, remove
all <http-method> elements from the <security-constraint> section
of the appropriate web.xml.
Risk factor :
High / CVSS Base Score : 7.5
CVSS Temporal Score : 6.5
Public Exploit Available : true