Vulnerability CVE-2010-3878

Vulnerability Name:

CVE-2010-3878 (CCN-63668)

Assigned:

2010-12-01

Published:

2010-12-01

Updated:

2010-12-30

Summary:

Cross-site request forgery (CSRF) vulnerability in the JMX Console in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 allows remote attackers to hijack the authentication of administrators for requests that deploy WAR files.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-352

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2010-3878

Source: CCN
Type: RHSA-2010-0937
Important: JBoss Enterprise Application Platform 4.3.0.CP09 update

Source: CCN
Type: RHSA-2010-0938
Important: JBoss Enterprise Application Platform 4.3.0.CP09 update

Source: CCN
Type: SA42398
Red Hat JBoss Enterprise Application Platform Three Vulnerabilities

Source: CCN
Type: SECTRACK ID: 1024813
JBoss Enterprise Application Platform Bugs Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Request Forgery Attacks

Source: SECTRACK
Type: UNKNOWN
1024813

Source: CCN
Type: JBoss Web site
JBoss Enterprise Application Platform

Source: CCN
Type: OSVDB ID: 70268
JBoss Enterprise Application Platform JMX Console WAR File Deployment CSRF

Source: REDHAT
Type: Vendor Advisory
RHSA-2010:0937

Source: REDHAT
Type: Vendor Advisory
RHSA-2010:0938

Source: REDHAT
Type: Vendor Advisory
RHSA-2010:0939

Source: CCN
Type: BID-45148
JBoss Enterprise Application Platform Multiple Remote Vulnerabilities

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=604617

Source: XF
Type: UNKNOWN
jboss-jmx-csrf(63668)

Vulnerable Configuration:

Configuration 1:

cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp01:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp02:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp03:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp04:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp05:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp06:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp07:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp08:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:redhat:jboss_enterprise_application_platform:4.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.precise:def:20103878000	V	CVE-2010-3878 on Ubuntu 12.04 LTS (precise) - medium.	2010-12-30
oval:com.ubuntu.trusty:def:20103878000	V	CVE-2010-3878 on Ubuntu 14.04 LTS (trusty) - medium.	2010-12-30

BACK