CVE-2012-2377

CWE-287 — Improper Authentication5 documents5 sources

Severity

3.3LOW

EPSS

1.0%

top 23.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Brms Platform Redhat Jboss Enterprise Portal Platform Redhat Jboss Enterprise SOA Platform

Timeline

PublishedNov 23

Latest updateMay 17

Description

JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.

CVSS vector

AV:A/AC:L/C:P/I:N/A:NExploitability: 6.5 | Impact: 2.9

Affected Packages3 packages

▶NVDredhat/jboss_enterprise_brms_platform5.2.0

▶NVDredhat/jboss_enterprise_portal_platform5.2.1+6

▶NVDredhat/jboss_enterprise_soa_platform5.2.0+7

🔴Vulnerability Details

GHSA

GHSA-jm5c-rgfp-cjhx: JGroups diagnostics service in JBoss Enterprise Portal Platform before 5↗2022-05-17

▶

CVEList

CVE-2012-2377: JGroups diagnostics service in JBoss Enterprise Portal Platform before 5↗2012-11-23

▶

📋Vendor Advisories

Red Hat

JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started↗2012-06-12

▶

💬Community

Bugzilla

CVE-2012-2377 JGroups diagnostics service enabled by default with no authentication when a JGroups channel is started↗2012-05-21

▶