CVE-2012-4550 — Improper Handling of Insufficient Permissions or Privileges in Redhat Jboss Enterprise Application Platform

CWE-264 CWE-280 — Improper Handling of Insufficient Permissions or Privileges5 documents5 sources

Severity

6.4MEDIUMNVD

EPSS

0.3%

top 49.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform

Timeline

PublishedJan 5

Latest updateMay 17

Description

JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, when using role-based authorization for Enterprise Java Beans (EJB) access, does not call the intended authorization modules, which prevents JACC permissions from being applied and allows remote attackers to obtain access to the EJB.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages1 packages

▶NVDredhat/jboss_enterprise_application_platform6.0.0

🔴Vulnerability Details

GHSA

GHSA-gg53-v4gc-qv5q: JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6↗2022-05-17

▶

CVEList

CVE-2012-4550: JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6↗2013-01-05

▶

📋Vendor Advisories

Red Hat

CVE-2012-4550: JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6↗2013-01-05

▶

💬Community

Bugzilla

CVE-2012-4550 JBoss JACC: Security constraints configured for EJBs are incorrectly interpreted and not applied↗2012-10-29

▶