CVE-2017-12149

critical

Description

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

References

https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149

https://access.redhat.com/errata/RHSA-2018:1608

https://access.redhat.com/errata/RHSA-2018:1607

https://veriti.ai/blog/vulnerable-villain-when-hackers-get-hacked/

https://bugzilla.redhat.com/show_bug.cgi?id=1486220

Details

Source: Mitre, NVD

Published: 2017-10-04

Updated: 2025-04-20

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.94313