CVE-2014-3464Redhat Jboss Enterprise Application Platform vulnerability

5 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.2%
top 59.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Jboss Enterprise Application Platform
Timeline
PublishedAug 19
Latest updateMay 17

Description

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 8.0 | Impact: 4.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-jm2h-vv8x-8cv3: The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 62022-05-17
CVEList
CVE-2014-3464: The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 62014-08-19

📋Vendor Advisories

1
Red Hat
WS: Incomplete fix for CVE-2013-21332014-08-06

💬Community

1
Bugzilla
CVE-2014-3464 JBoss WS: Incomplete fix for CVE-2013-21332014-05-28
CVE-2014-3464 — Redhat vulnerability | cvebase