CVE-2009-0027 — Improper Input Validation in Redhat Jboss Enterprise Application Platform

CWE-20 — Improper Input Validation6 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

0.7%

top 27.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform

Timeline

PublishedMar 9

Latest updateMay 2

Description

The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDredhat/jboss_enterprise_application_platform4.2.0, 4.3.0+1

Patches

Patch: rhn.redhat.com ↗Patch: rhn.redhat.com ↗Patch: rhn.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-5xfj-v547-vccj: The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4↗2022-05-02

▶

CVEList

CVE-2009-0027: The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4↗2009-03-09

▶

📋Vendor Advisories

Red Hat

JBoss EAP unprivileged local xml file access↗2009-03-06

▶

💬Community

Bugzilla

Moodle: Multiple security fixes in 1.9.7 and 1.8.11 upstream releases↗2009-12-06

▶

Bugzilla

CVE-2009-0027 JBoss EAP unprivileged local xml file access↗2009-01-12

▶