CVE-2012-5478 - OpenCVE

The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly restrict access, which allows remote authenticated users to bypass intended role restrictions and perform arbitrary JMX operations via unspecified vectors.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Jboss Enterprise Application Platform Jboss Enterprise Web Platform Jboss Enterprise Brms Platform

Configuration 1 [-]

cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2013-0191.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0192.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0193.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0194.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0195.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0196.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0197.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0198.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0221.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0533.html
http://secunia.com/advisories/51984	Vendor Advisory
http://secunia.com/advisories/52054	Vendor Advisory
http://securitytracker.com/id?1028042
http://www.osvdb.org/89580
https://exchange.xforce.ibmcloud.com/vulnerabilities/81514

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2013-02-05T23:11:00

Updated: 2017-08-28T12:57:01

Reserved: 2012-10-24T00:00:00

Link: CVE-2012-5478

JSON object: View

NVD Information

Status : Modified

Published: 2013-02-05T23:55:01.553

Modified: 2017-08-29T01:32:41.213

Link: CVE-2012-5478

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-01-24T00:00:00", "descriptions": [{"lang": "en", "value": "The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly restrict access, which allows remote authenticated users to bypass intended role restrictions and perform arbitrary JMX operations via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2013:0192", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html"}, {"name": "RHSA-2013:0198", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html"}, {"name": "RHSA-2013:0195", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html"}, {"name": "RHSA-2013:0221", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html"}, {"name": "89580", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/89580"}, {"name": "RHSA-2013:0196", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html"}, {"name": "RHSA-2013:0193", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html"}, {"name": "51984", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/51984"}, {"name": "1028042", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1028042"}, {"name": "52054", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52054"}, {"name": "RHSA-2013:0191", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html"}, {"name": "RHSA-2013:0533", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"}, {"name": "RHSA-2013:0197", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html"}, {"name": "jboss-eap-jmx-sec-bypass(81514)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81514"}, {"name": "RHSA-2013:0194", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html"}]}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-5478", "datePublished": "2013-02-05T23:11:00", "dateReserved": "2012-10-24T00:00:00", "dateUpdated": "2017-08-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "46849C8D-36E9-4E97-BB49-E04F4EB199E6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "38F66D5B-F906-437E-977E-F9F930648886", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "57FBD0FE-A84D-4707-A2DA-CB9F4920CBA8", "versionEndIncluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly restrict access, which allows remote authenticated users to bypass intended role restrictions and perform arbitrary JMX operations via unspecified vectors."}, {"lang": "es", "value": "El AuthorizationInterceptor en JBoss Enterprise Application Platform (EAP) anterior a versi\u00f3n 5.2.0, Web Platform (EWP) anterior a versi\u00f3n 5.2.0, BRMS Platform anterior a versi\u00f3n 5.3.1 y SOA Platform anterior a versi\u00f3n 5.3.1, no restringe apropiadamente el acceso, lo que permite a los usuarios remotos autenticados omitir las restricciones de rol previstas y realizar operaciones JMX arbitrarias por medio de vectores no especificados."}], "evaluatorComment": "Per http://rhn.redhat.com/errata/RHSA-2013-0192.html \"This JBoss Enterprise Application Platform 5.2.0 release serves as a replacement for JBoss Enterprise Application Platform 5.1.2, and includes bug fixes and enhancements.\" Per http://rhn.redhat.com/errata/RHSA-2013-0196.html \"This JBoss Enterprise Web Platform 5.2.0 release serves as a replacement for JBoss Enterprise Web Platform 5.1.2, and includes bug fixes and enhancements.\"", "id": "CVE-2012-5478", "lastModified": "2017-08-29T01:32:41.213", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-02-05T23:55:01.553", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0221.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/51984"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/52054"}, {"source": "secalert@redhat.com", "url": "http://securitytracker.com/id?1028042"}, {"source": "secalert@redhat.com", "url": "http://www.osvdb.org/89580"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81514"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}