Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-0874

CWE-287Improper Authentication9 documents7 sources
Severity
6.8MEDIUM
EPSS
51.3%
top 2.12%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Redhat Jboss Enterprise Brms PlatformRedhat Jboss Enterprise Application PlatformRedhat Jboss Enterprise WEB Platform
Timeline
PublishedFeb 5
Latest updateMay 17

Description

The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 do not require authentication by default in certain profiles, which might allow remote attackers to invoke MBean methods and execute arbitrary code via unspecified vectors. NOTE: this issue can only be exploited when the interceptor is not properly configured with a "second

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

🔴Vulnerability Details

3
GHSA
GHSA-cjrh-9rp2-h6f2: The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 52022-05-17
CVEList
CVE-2012-0874: The (1) JMXInvokerHAServlet and (2) EJBInvokerHAServlet invoker servlets in JBoss Enterprise Application Platform (EAP) before 52013-02-05
VulnCheck
Red Hat JBoss Application Server Improper Authentication2012

💥Exploits & PoCs

1
Exploit-DB
EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet Remote Code Execution2013-12-11

📋Vendor Advisories

1
Red Hat
JBoss invoker servlets do not require authentication2013-01-24

💬Community

2
Bugzilla
CVE-2012-3173 mysql: unspecified DoS vulnerability related to InnoDB Plugin (CPU Oct 2012)2012-10-17
Bugzilla
CVE-2012-0874 JBoss invoker servlets do not require authentication2012-02-21