CVE-2014-7849 — Incorrect Authorization in Redhat Jboss Enterprise Application Platform

CWE-264 CWE-863 — Incorrect Authorization7 documents6 sources

Severity

4.0MEDIUMNVD

EPSS

0.4%

top 39.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform

Timeline

PublishedFeb 13

Latest updateMay 17

Description

The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote authenticated users to add, modify, and undefine otherwise restricted attributes by leveraging the Maintainer role.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages1 packages

▶NVDredhat/jboss_enterprise_application_platform8 versions+7

🔴Vulnerability Details

GHSA

GHSA-5938-95q9-6rh3: The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6↗2022-05-17

▶

CVEList

CVE-2014-7849: The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6↗2015-02-13

▶

📋Vendor Advisories

Red Hat

Management: Limited RBAC authorization bypass↗2015-02-11

▶

💬Community

Bugzilla

CVE-2014-7849 JBoss AS/WildFly Domain Management: Limited RBAC authorization bypass↗2014-11-18

▶