CVE-2014-3472

MEDIUM

Description

The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

References

http://rhn.redhat.com/errata/RHSA-2014-1019.html

http://rhn.redhat.com/errata/RHSA-2014-1020.html

http://rhn.redhat.com/errata/RHSA-2014-1021.html

http://rhn.redhat.com/errata/RHSA-2015-0720.html

http://www.securityfocus.com/bid/69094

https://bugzilla.redhat.com/show_bug.cgi?id=1103815

https://exchange.xforce.ibmcloud.com/vulnerabilities/95170

Details

Source: MITRE

Published: 2014-08-19

Updated: 2017-08-29

Type: CWE-264

Risk Information

CVSS v2.0

Base Score: 4.9

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 6.8

Severity: MEDIUM

Tenable Plugins

View all (2 total)

IDNameProductFamilySeverity
77079RHEL 6 : JBoss EAP (RHSA-2014:1020)NessusRed Hat Local Security Checks
medium
77078RHEL 5 : JBoss EAP (RHSA-2014:1019)NessusRed Hat Local Security Checks
medium