CVE-2014-3472 — Incomplete List of Disallowed Inputs in Redhat Jboss Enterprise Application Platform

CWE-264 CWE-184 — Incomplete List of Disallowed Inputs5 documents5 sources

Severity

4.9MEDIUMNVD

EPSS

0.2%

top 52.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform

Timeline

PublishedAug 19

Latest updateMay 17

Description

The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 6.8 | Impact: 4.9

Affected Packages1 packages

▶NVDredhat/jboss_enterprise_application_platform6.3.0

🔴Vulnerability Details

GHSA

GHSA-x926-v8v9-j4mp: The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBE↗2022-05-17

▶

CVEList

CVE-2014-3472: The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBE↗2014-08-19

▶

📋Vendor Advisories

Red Hat

Security: Invalid EJB caller role check implementation↗2014-08-06

▶

💬Community

Bugzilla

CVE-2014-3472 JBoss AS Security: Invalid EJB caller role check implementation↗2014-06-02

▶