CVE-2015-5304 — Missing Authorization in Redhat Jboss Enterprise Application Platform

CWE-264 CWE-862 — Missing Authorization5 documents5 sources

Severity

3.5LOWNVD

EPSS

1.3%

top 20.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform

Timeline

PublishedDec 16

Latest updateMay 17

Description

Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does not properly authorize access to shut down the server, which allows remote authenticated users with the Monitor, Deployer, or Auditor role to cause a denial of service via unspecified vectors.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 6.8 | Impact: 2.9

Affected Packages1 packages

▶NVDredhat/jboss_enterprise_application_platform6.4.4

🔴Vulnerability Details

GHSA

GHSA-gvc6-x7v9-m2cq: Red Hat JBoss Enterprise Application Platform (EAP) before 6↗2022-05-17

▶

CVEList

CVE-2015-5304: Red Hat JBoss Enterprise Application Platform (EAP) before 6↗2015-12-16

▶

📋Vendor Advisories

Red Hat

EAP: missing authorization check for Monitor/Deployer/Auditor role when shutting down server↗2015-12-02

▶

💬Community

Bugzilla

CVE-2015-5304 JBoss EAP: missing authorization check for Monitor/Deployer/Auditor role when shutting down server↗2015-10-19

▶