CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
EPSS
Percentile
55.9%
The processInvocation function in
org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise
Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all
requests when no roles are allowed for an Enterprise Java Beans (EJB)
method invocation, which allows attackers to bypass intended access
restrictions for EJB methods.
Author | Note |
---|---|
ebarretto | only builds a few libraries, not the full application server |