| Vulnerability Name: | CVE-2012-3369 (CCN-81512) | ||||||||
| Assigned: | 2012-06-14 | ||||||||
| Published: | 2013-01-24 | ||||||||
| Updated: | 2017-08-29 | ||||||||
| Summary: | The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used. Per http://rhn.redhat.com/errata/RHSA-2013-0198.html "This JBoss Enterprise Web Platform 5.2.0 release serves as a replacement for JBoss Enterprise Web Platform 5.1.2, and includes bug fixes and enhancements." Per http://rhn.redhat.com/errata/RHSA-2013-0191.html "This JBoss Enterprise Application Platform 5.2.0 release serves as a replacement for JBoss Enterprise Application Platform 5.1.2, and includes bug fixes and enhancements." | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 4.0 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N) 3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-264 | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: MITRE Type: CNA CVE-2012-3369 Source: CCN Type: RHSA-2013-0191 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0191 Source: CCN Type: RHSA-2013-0192 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0192 Source: CCN Type: RHSA-2013-0193 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0193 Source: CCN Type: RHSA-2013-0194 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0194 Source: CCN Type: RHSA-2013-0195 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0195 Source: CCN Type: RHSA-2013-0196 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0196 Source: CCN Type: RHSA-2013-0197 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0197 Source: CCN Type: RHSA-2013-0198 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0198 Source: REDHAT Type: Vendor Advisory RHSA-2013:0221 Source: REDHAT Type: UNKNOWN RHSA-2013:0533 Source: SECUNIA Type: Vendor Advisory 51984 Source: SECUNIA Type: Vendor Advisory 52054 Source: SECTRACK Type: UNKNOWN 1028042 Source: CCN Type: JBoss Web site JBoss Enterprise Application Platform Source: BID Type: UNKNOWN 57547 Source: CCN Type: BID-57547 JBoss Enterprise Application Platform CVE-2012-3369 Security Bypass Vulnerability Source: MISC Type: UNKNOWN https://bugzilla.redhat.com/show_bug.cgi?id=836451 Source: XF Type: UNKNOWN jboss-eap-session-hijacking(81512) Source: XF Type: UNKNOWN jboss-eap-session-hijacking(81512) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||