CVE-2013-2133Missing Authorization in Redhat Jboss Enterprise Application Platform

CWE-264CWE-862Missing Authorization10 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.3%
top 44.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat Jboss Enterprise Application PlatformRedhat Enterprise Linux
Timeline
PublishedDec 6
Latest updateMay 17

Description

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 8.0 | Impact: 4.9

Affected Packages1 packages

Also affects: Enterprise Linux 5, 6.0

🔴Vulnerability Details

4
GHSA
GHSA-jm2h-vv8x-8cv3: The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 62022-05-17
GHSA
GHSA-2579-mjx2-r625: The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 62022-05-14
CVEList
CVE-2014-3464: The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 62014-08-19
CVEList
CVE-2013-2133: The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 62013-12-06

📋Vendor Advisories

2
Red Hat
WS: Incomplete fix for CVE-2013-21332014-08-06
Red Hat
WS: EJB3 role restrictions are not applied to jaxws handlers2013-12-04

💬Community

2
Bugzilla
CVE-2014-3464 JBoss WS: Incomplete fix for CVE-2013-21332014-05-28
Bugzilla
CVE-2013-2133 JBoss WS: EJB3 role restrictions are not applied to jaxws handlers2013-06-03
CVE-2013-2133 — Missing Authorization in Redhat | cvebase