CVE-2015-0297

CWE-284 — Improper Access Control CWE-306 — Missing Authentication5 documents5 sources

Severity

9.0CRITICAL

EPSS

0.6%

top 31.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Operations Network

Timeline

PublishedApr 24

Latest updateMay 17

Description

Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methods via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

CVSS vector

AV:N/AC:L/C:P/I:P/A:CExploitability: 10.0 | Impact: 8.5

Affected Packages1 packages

▶NVDredhat/jboss_operations_network3.3.1

🔴Vulnerability Details

GHSA

GHSA-hfm5-vrw2-7m5q: Red Hat JBoss Operations Network 3↗2022-05-17

▶

CVEList

CVE-2015-0297: Red Hat JBoss Operations Network 3↗2015-04-24

▶

📋Vendor Advisories

Red Hat

RHQ: ServerInvokerServlet remote code exec↗2015-04-14

▶

💬Community

Bugzilla

CVE-2015-0297 RHQ: ServerInvokerServlet remote code exec↗2015-03-03

▶