Vulnerability Name:

CVE-2013-2133 (CCN-89473)

Assigned:2013-12-04
Published:2013-12-04
Updated:2019-04-22
Summary:The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class.
CVSS v3 Severity:4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
4.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2013-2133

Source: REDHAT
Type: Vendor Advisory
RHSA-2013:1784

Source: REDHAT
Type: Vendor Advisory
RHSA-2013:1785

Source: REDHAT
Type: Vendor Advisory
RHSA-2013:1786

Source: REDHAT
Type: UNKNOWN
RHSA-2015:0850

Source: REDHAT
Type: UNKNOWN
RHSA-2015:0851

Source: CCN
Type: OSVDB ID: 100657
Red Hat JBoss Enterprise Application Platform EJB Invocation Handler Method-level Authorization JAX-WS Handler Invocation

Source: CCN
Type: JBoss Web site
Red Hat | JBoss Enterprise Application Platform

Source: CCN
Type: BID-64125
JBoss Enterprise Application Platform CVE-2013-2133 Authorization Security Bypass Vulnerability

Source: SECTRACK
Type: UNKNOWN
1029431

Source: CCN
Type: Red Hat Bugzilla Bug 969924
(CVE-2013-2133) CVE-2013-2133 JBoss WS: EJB3 role restrictions are not applied to jaxws handlers

Source: XF
Type: UNKNOWN
jbosseap-cve20132133-security-bypass(89473)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-2133

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0:cp09:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0:cp10:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:5.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:5.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:5.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:* (Version <= 6.1.0)

    • Configuration 2:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:redhat:jboss_enterprise_application_platform:6.2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.precise:def:20132133000
    V
    		CVE-2013-2133 on Ubuntu 12.04 LTS (precise) - medium.
    2013-12-06
    oval:com.ubuntu.trusty:def:20132133000
    V
    		CVE-2013-2133 on Ubuntu 14.04 LTS (trusty) - medium.
    2013-12-06
    BACK
    redhat jboss enterprise application platform 4.2.0
    redhat jboss enterprise application platform 4.2.0 cp09
    redhat jboss enterprise application platform 4.3.0
    redhat jboss enterprise application platform 4.3.0 cp10
    redhat jboss enterprise application platform 5.0.0
    redhat jboss enterprise application platform 5.0.1
    redhat jboss enterprise application platform 5.1.0
    redhat jboss enterprise application platform 5.1.1
    redhat jboss enterprise application platform 5.1.2
    redhat jboss enterprise application platform 5.2.0
    redhat jboss enterprise application platform 5.2.1
    redhat jboss enterprise application platform 5.2.2
    redhat jboss enterprise application platform 6.0.0
    redhat jboss enterprise application platform 6.0.1
    redhat jboss enterprise application platform *
    redhat enterprise linux 5
    redhat enterprise linux 6.0
    redhat jboss enterprise application platform 6.2.0