CVE-2012-4549 — Incorrect Privilege Assignment in Redhat Jboss Enterprise Application Platform

CWE-264 CWE-266 — Incorrect Privilege Assignment5 documents5 sources

Severity

5.8MEDIUMNVD

EPSS

0.3%

top 50.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform

Timeline

PublishedJan 5

Latest updateMay 17

Description

The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

▶NVDredhat/jboss_enterprise_application_platform6.0.0+10

🔴Vulnerability Details

GHSA

GHSA-4crg-m9w3-g9fc: The processInvocation function in org↗2022-05-17

▶

CVEList

CVE-2012-4549: The processInvocation function in org↗2013-01-05

▶

📋Vendor Advisories

Red Hat

CVE-2012-4549: The processInvocation function in org↗2013-01-05

▶

💬Community

Bugzilla

CVE-2012-4549 JBoss AS: EJB authorization succeeds for any role when allowed roles list is empty↗2012-10-29

▶