CVE-2010-2493

CWE-166 documents6 sources

Severity

5.0MEDIUM

EPSS

0.0%

top 85.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise SOA Platform

Timeline

PublishedAug 10

Latest updateMay 17

Description

The default configuration of the deployment descriptor (aka web.xml) in picketlink-sts.war in (1) the security_saml quickstart, (2) the webservice_proxy_security quickstart, (3) the web-console application, (4) the http-invoker application, (5) the gpd-deployer application, (6) the jbpm-console application, (7) the contract application, and (8) the uddi-console application in JBoss Enterprise SOA Platform before 5.0.2 contains GET and POST http-method elements, which allows remote attackers to b…

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDredhat/jboss_enterprise_soa_platform5.0.1+3

🔴Vulnerability Details

GHSA

GHSA-cc2j-r2rv-77c8: The default configuration of the deployment descriptor (aka web↗2022-05-17

▶

CVEList

CVE-2010-2493: The default configuration of the deployment descriptor (aka web↗2010-08-09

▶

VulnCheck

JBoss Enterprise SOA Platform before 5.0.2 contains GET and POST http-method Security Bypass↗2010

▶

📋Vendor Advisories

Red Hat

JBoss SOA Platform web application authentication bypass↗2010-07-14

▶

💬Community

Bugzilla

CVE-2010-2493 JBoss SOA Platform web application authentication bypass↗2010-07-15

▶