CVE-2012-3369 - OpenCVE

The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Jboss Enterprise Web Platform Jboss Enterprise Application Platform Jboss Enterprise Brms Platform

Configuration 1 [-]

cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2013-0191.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0192.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0193.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0194.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0195.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0196.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0197.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0198.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0221.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0533.html
http://secunia.com/advisories/51984	Vendor Advisory
http://secunia.com/advisories/52054	Vendor Advisory
http://securitytracker.com/id?1028042
http://www.securityfocus.com/bid/57547
https://bugzilla.redhat.com/show_bug.cgi?id=836451
https://exchange.xforce.ibmcloud.com/vulnerabilities/81512

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2013-02-05T23:11:00

Updated: 2017-08-28T12:57:01

Reserved: 2012-06-14T00:00:00

Link: CVE-2012-3369

JSON object: View

NVD Information

Status : Modified

Published: 2013-02-05T23:55:01.427

Modified: 2017-08-29T01:31:54.667

Link: CVE-2012-3369

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-01-24T00:00:00", "descriptions": [{"lang": "en", "value": "The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2013:0192", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html"}, {"name": "RHSA-2013:0198", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html"}, {"name": "RHSA-2013:0195", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html"}, {"name": "RHSA-2013:0221", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html"}, {"name": "RHSA-2013:0196", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html"}, {"name": "RHSA-2013:0193", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html"}, {"name": "51984", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/51984"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=836451"}, {"name": "1028042", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1028042"}, {"name": "52054", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52054"}, {"name": "jboss-eap-session-hijacking(81512)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81512"}, {"name": "RHSA-2013:0191", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html"}, {"name": "RHSA-2013:0533", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"}, {"name": "RHSA-2013:0197", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html"}, {"name": "57547", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/57547"}, {"name": "RHSA-2013:0194", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html"}]}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-3369", "datePublished": "2013-02-05T23:11:00", "dateReserved": "2012-06-14T00:00:00", "dateUpdated": "2017-08-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "38F66D5B-F906-437E-977E-F9F930648886", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "46849C8D-36E9-4E97-BB49-E04F4EB199E6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "57FBD0FE-A84D-4707-A2DA-CB9F4920CBA8", "versionEndIncluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used."}, {"lang": "es", "value": "CallerIdentityLoginModule en JBoss Enterprise Application Platform (EAP) anterior a versi\u00f3n 5.2.0, Web Platform (EWP) anterior a versi\u00f3n 5.2.0, BRMS Platform anterior a versi\u00f3n 5.3.1 y SOA Platform anterior a versi\u00f3n 5.3.1, y SOA Platform anterior a Versi\u00f3n 5.3.1, permite a los atacantes remotos alcanzar privilegios del usuario anterior por medio de una contrase\u00f1a null, lo que causa que sea usada la contrase\u00f1a del usuario anterior."}], "evaluatorComment": "Per http://rhn.redhat.com/errata/RHSA-2013-0198.html \"This JBoss Enterprise Web Platform 5.2.0 release serves as a replacement for JBoss Enterprise Web Platform 5.1.2, and includes bug fixes and enhancements.\" \r\n\r\nPer http://rhn.redhat.com/errata/RHSA-2013-0191.html \"This JBoss Enterprise Application Platform 5.2.0 release serves as a replacement for JBoss Enterprise Application Platform 5.1.2, and includes bug fixes and enhancements.\"", "id": "CVE-2012-3369", "lastModified": "2017-08-29T01:31:54.667", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-02-05T23:55:01.427", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/51984"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/52054"}, {"source": "secalert@redhat.com", "url": "http://securitytracker.com/id?1028042"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/57547"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=836451"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81512"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}