CVE-2014-7827 - OpenCVE

The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Jboss Enterprise Application Platform

Configuration 1 [-]

cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:*

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2015-0215.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-0216.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-0217.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-0218.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-0850.html
http://rhn.redhat.com/errata/RHSA-2015-0851.html
http://www.securitytracker.com/id/1031741
https://exchange.xforce.ibmcloud.com/vulnerabilities/100889

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2015-02-13T15:00:00

Updated: 2017-09-07T15:57:01

Reserved: 2014-10-03T00:00:00

Link: CVE-2014-7827

JSON object: View

NVD Information

Status : Modified

Published: 2015-02-13T15:59:04.263

Modified: 2017-09-08T01:29:17.073

Link: CVE-2014-7827

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-02-11T00:00:00", "descriptions": [{"lang": "en", "value": "The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-07T15:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2015:0850", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"name": "RHSA-2015:0215", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0215.html"}, {"name": "RHSA-2015:0851", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}, {"name": "RHSA-2015:0217", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0217.html"}, {"name": "RHSA-2015:0218", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0218.html"}, {"name": "RHSA-2015:0216", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0216.html"}, {"name": "redhat-jboss-cve20147827-sec-bypass(100889)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100889"}, {"name": "1031741", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1031741"}]}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-7827", "datePublished": "2015-02-13T15:00:00", "dateReserved": "2014-10-03T00:00:00", "dateUpdated": "2017-09-07T15:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2AC9D55-C1C7-4BAB-8D1E-F2413B19FA4C", "versionEndIncluding": "6.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain."}, {"lang": "es", "value": "La implementaci\u00f3n org.jboss.security.plugins.mapping.JBossMappingManager en JBoss Security en Red Hat JBoss Enterprise Application Platform (EAP) anterior a 6.3.3 utiliza el dominio de seguridad por defecto cuando un dominio de seguridad no est\u00e1 definido, lo que permite a usuarios remotos autenticados evadir las restricciones de acceso mediante el aprovechamiento de las credenciales en el dominio por defecto para un rol que tambi\u00e9n est\u00e1 en el dominio de la aplicaci\u00f3n."}], "id": "CVE-2014-7827", "lastModified": "2017-09-08T01:29:17.073", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-02-13T15:59:04.263", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0215.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0216.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0217.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0218.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1031741"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100889"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}