CVE-2012-1154

CWE-264 CWE-284 — Improper Access Control6 documents6 sources

Severity

4.3MEDIUM

EPSS

0.3%

top 43.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform Redhat MOD Cluster

Timeline

PublishedOct 22

Latest updateMay 17

Description

mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server, which allows remote attackers to bypass access restrictions and gain access to applications deployed on the root context via unspecified vectors.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDredhat/jboss_enterprise_application_platform5.1.2

▶Mavenorg.jboss.mod_cluster:mod_cluster1.1.0 — 1.1.4

▶NVDredhat/mod_cluster6 versions+5

🔴Vulnerability Details

OSV

Improper Access Control in JBoss mod_cluster↗2022-05-17

▶

GHSA

Improper Access Control in JBoss mod_cluster↗2022-05-17

▶

CVEList

CVE-2012-1154: mod_cluster 1↗2012-10-22

▶

📋Vendor Advisories

Red Hat

mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list↗2011-08-31

▶

💬Community

Bugzilla

CVE-2012-1154 mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list↗2012-03-12

▶