CVE-2012-1094

CWE-200 — Information Exposure6 documents6 sources

Severity

7.5HIGH

EPSS

0.2%

top 53.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Application Server

Timeline

PublishedMar 10

Latest updateApr 23

Description

JBoss AS 7 prior to 7.1.1 and mod_cluster do not handle default hostname in the same way, which can cause the excluded-contexts list to be mismatched and the root context to be exposed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.jboss.as:jboss-as-server7.0.0.Alpha1 — 7.1.1.Final

▶NVDredhat/jboss_application_server7.0.0 — 7.1.1

▶CVEListV5jboss_as_7prior to 7.1.1

🔴Vulnerability Details

OSV

JBoss AS may expose root content if excluded-contexts list is mismatched↗2022-04-23

▶

GHSA

JBoss AS may expose root content if excluded-contexts list is mismatched↗2022-04-23

▶

CVEList

CVE-2012-1094: JBoss AS 7 prior to 7↗2020-03-10

▶

📋Vendor Advisories

Red Hat

mod_cluster registers and exposes the root context of a JBoss AS 7 server by default, despite ROOT being in the excluded-contexts list↗2012-02-04

▶

💬Community

Bugzilla

CVE-2012-1094 mod_cluster registers and exposes the root context of a JBoss AS 7 server by default, despite ROOT being in the excluded-contexts list↗2012-03-01

▶