CVE-2014-3464

2014-08-1918:55:01

CWE-264

[email protected]

web.nvd.nist.gov

cve-2014-3464

red hat

jbossws

jboss enterprise application platform

eap 6.2.0

eap 6.3.0

method level restrictions

jax-ws handlers

remote authenticated users

cve-2013-2133

incomplete fix

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.2%

JSON

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133.

Affected configurations

NVD

Node

redhatjboss_enterprise_application_platformMatch6.2.0

redhatjboss_enterprise_application_platformMatch6.3.0

CPENameOperatorVersion
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq6.2.0
redhat:jboss_enterprise_application_platformredhat jboss enterprise application platformeq6.3.0

CPE	Name	Operator	Version
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	6.2.0
redhat:jboss_enterprise_application_platform	redhat jboss enterprise application platform	eq	6.3.0