| Vulnerability Name: | CVE-2012-5478 (CCN-81514) | ||||||||
| Assigned: | 2012-10-24 | ||||||||
| Published: | 2013-01-24 | ||||||||
| Updated: | 2017-08-29 | ||||||||
| Summary: | The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly restrict access, which allows remote authenticated users to bypass intended role restrictions and perform arbitrary JMX operations via unspecified vectors. Per http://rhn.redhat.com/errata/RHSA-2013-0192.html "This JBoss Enterprise Application Platform 5.2.0 release serves as a replacement for JBoss Enterprise Application Platform 5.1.2, and includes bug fixes and enhancements." Per http://rhn.redhat.com/errata/RHSA-2013-0196.html "This JBoss Enterprise Web Platform 5.2.0 release serves as a replacement for JBoss Enterprise Web Platform 5.1.2, and includes bug fixes and enhancements." | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 4.9 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N) 3.6 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-264 | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: MITRE Type: CNA CVE-2012-5478 Source: CCN Type: RHSA-2013-0191 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0191 Source: CCN Type: RHSA-2013-0192 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0192 Source: CCN Type: RHSA-2013-0193 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0193 Source: CCN Type: RHSA-2013-0194 Important: JBoss Enterprise Application Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0194 Source: CCN Type: RHSA-2013-0195 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0195 Source: CCN Type: RHSA-2013-0196 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0196 Source: CCN Type: RHSA-2013-0197 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0197 Source: CCN Type: RHSA-2013-0198 Important: JBoss Enterprise Web Platform 5.2.0 update Source: REDHAT Type: Vendor Advisory RHSA-2013:0198 Source: REDHAT Type: Vendor Advisory RHSA-2013:0221 Source: REDHAT Type: UNKNOWN RHSA-2013:0533 Source: SECUNIA Type: Vendor Advisory 51984 Source: SECUNIA Type: Vendor Advisory 52054 Source: SECTRACK Type: UNKNOWN 1028042 Source: CCN Type: JBoss Web site JBoss Enterprise Application Platform Source: OSVDB Type: UNKNOWN 89580 Source: CCN Type: BID-57551 JBoss Enterprise Application Platform CVE-2012-5478 Security Bypass Vulnerability Source: XF Type: UNKNOWN jboss-eap-jmx-sec-bypass(81514) Source: XF Type: UNKNOWN jboss-eap-jmx-sec-bypass(81514) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||