CVE-2011-3609

CWE-352 — Cross-Site Request Forgery (CSRF)6 documents5 sources

Severity

6.5MEDIUM

EPSS

0.5%

top 33.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jboss Application Server Jboss Application Server Redhat Jboss Application Server

Timeline

PublishedNov 26

Latest updateApr 22

Description

A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDredhat/jboss_application_server7.0.0, 7.0.1, 7.0.2+2

▶CVEListV5jboss_application_server/jboss_application_server7 before 7.1.0

🔴Vulnerability Details

GHSA

GHSA-66h8-2pwv-w4h6: A CSRF issue was found in JBoss Application Server 7 before 7↗2022-04-22

▶

CVEList

CVE-2011-3609: A CSRF issue was found in JBoss Application Server 7 before 7↗2019-11-26

▶

📋Vendor Advisories

Red Hat

AS: CSRF in the administration console & HTTP management API↗2011-10-12

▶

💬Community

Bugzilla

CVE-2011-3609 JBoss AS: CSRF in the administration console & HTTP management API↗2011-10-03

▶