CVE-2012-3369

CWE-2645 documents5 sources

Severity

4.0MEDIUM

EPSS

1.3%

top 20.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Brms Platform Redhat Jboss Enterprise Application Platform Redhat Jboss Enterprise WEB Platform

Timeline

PublishedFeb 5

Latest updateMay 17

Description

The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used.

CVSS vector

AV:N/AC:H/C:P/I:P/A:NExploitability: 4.9 | Impact: 4.9

Affected Packages3 packages

▶NVDredhat/jboss_enterprise_brms_platform5.3.0

▶NVDredhat/jboss_enterprise_application_platform5.2.0

▶NVDredhat/jboss_enterprise_web_platform5.2.0

🔴Vulnerability Details

GHSA

GHSA-hgmc-pjc5-rw9x: The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5↗2022-05-17

▶

CVEList

CVE-2012-3369: The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5↗2013-02-05

▶

📋Vendor Advisories

Red Hat

JBoss: CallerIdentityLoginModule retaining password from previous call if a null password is provided↗2013-01-24

▶

💬Community

Bugzilla

CVE-2012-3369 JBoss: CallerIdentityLoginModule retaining password from previous call if a null password is provided↗2012-06-29

▶