CVE-2012-1167

CWE-2645 documents5 sources

Severity

4.6MEDIUM

EPSS

0.8%

top 25.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Brms Platform Redhat Jboss Enterprise SOA Platform Redhat Jboss Enterprise WEB Platform +1 more

Timeline

PublishedNov 23

Latest updateMay 17

Description

The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages4 packages

▶NVDredhat/jboss_enterprise_brms_platform5.2.0

▶NVDredhat/jboss_enterprise_application_platform4 versions+3

▶NVDredhat/jboss_enterprise_soa_platform5.2.0+5

▶NVDredhat/jboss_enterprise_web_platform5.1.1+1

🔴Vulnerability Details

GHSA

GHSA-9f9q-j576-jp97: The JBoss Server in JBoss Enterprise Application Platform 5↗2022-05-17

▶

CVEList

CVE-2012-1167: The JBoss Server in JBoss Enterprise Application Platform 5↗2012-11-23

▶

📋Vendor Advisories

Red Hat

JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm↗2012-06-12

▶

💬Community

Bugzilla

CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm↗2012-03-13

▶