CVE-2014-0169 — Incorrect Authorization in RED HAT Jboss EAP

CWE-863 — Incorrect Authorization5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 61.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Jboss EAP Redhat Jboss Enterprise Application Platform

Timeline

PublishedJan 2

Latest updateMay 17

Description

In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization. Although this is an intended functionality, it was not clearly documented which can mislead users into thinking that a security domain cache is isolated to a single application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDredhat/jboss_enterprise_application_platform6.0.0

▶CVEListV5red_hat/jboss_eap6

🔴Vulnerability Details

GHSA

GHSA-hwg9-xff6-g3rg: In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain↗2022-05-17

▶

CVEList

CVE-2014-0169: In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain↗2020-01-02

▶

📋Vendor Advisories

Red Hat

EAP: cache is shared between all applications in a security domain↗2014-04-08

▶

💬Community

Bugzilla

CVE-2014-0169 JBoss EAP: cache is shared between all applications in a security domain↗2014-04-07

▶