Vulnerability CVE-2008-3519

Vulnerability Name:

CVE-2008-3519 (CCN-45305)

Assigned:

2008-09-22

Published:

2008-09-22

Updated:

2017-08-08

Summary:

The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the DownloadServerClasses property to true, which allows remote attackers to obtain sensitive information (non-EJB classes) via a download request, a different vulnerability than CVE-2008-3273.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-16

Vulnerability Consequences:

Obtain Information

References:

Source: CONFIRM
Type: UNKNOWN
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=458823

Source: MITRE
Type: CNA
CVE-2008-3519

Source: CCN
Type: RHSA-2008-0831
Low: JBoss Enterprise Application Platform 4.3.0CP02 security update

Source: CCN
Type: RHSA-2008-0832
Low: JBoss Enterprise Application Platform 4.3.0CP02 security update

Source: CCN
Type: RHSA-2008-0833
Low: JBoss Enterprise Application Platform 4.2.0CP04 security update

Source: CCN
Type: RHSA-2008-0834
JBoss Enterprise Application Platform 4.2.0CP04 security update

Source: CCN
Type: SECTRACK ID: 1020905
JBoss Enterprise Application Platform DownloadServerClasses Configuration Lets Remote Users Download Class Files

Source: MISC
Type: Patch
http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp04/html-single/readme/index.html

Source: MISC
Type: Patch
http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp02/html-single/readme/index.html

Source: CCN
Type: Red Hat Web site
JBoss Enterprise Application Platform

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0831

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0832

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0833

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0834

Source: BID
Type: UNKNOWN
31300

Source: CCN
Type: BID-31300
JBoss Enterprise Application Platform Class Files Information Disclosure Vulnerability

Source: SECTRACK
Type: UNKNOWN
1020905

Source: XF
Type: UNKNOWN
jboss-downloadserverclasses-info-disclosure(45305)

Source: XF
Type: UNKNOWN
jboss-downloadserverclasses-info-disclosure(45305)

Vulnerable Configuration:

Configuration 1:

cpe:/a:redhat:jboss_enterprise_application_platform:4.2:*:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:4.2:cp01:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:4.2:cp02:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:*:cp03:*:*:*:*:*:* (Version <= 4.2)

OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3:*:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:*:cp01:*:*:*:*:*:* (Version <= 4.3)

Denotes that component is vulnerable

BACK