1. CVE-Search
  2. CVE-2010-1428
ID CVE-2010-1428
Summary The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:-:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:-:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:-:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:-:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 28-06-2024 - 17:24)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • rhsa
    id RHSA-2010:0376
  • rhsa
    id RHSA-2010:0377
  • rhsa
    id RHSA-2010:0378
  • rhsa
    id RHSA-2010:0379
rpms
  • hibernate3-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el4
  • hibernate3-annotations-0:3.3.1-1.12.GA_CP03.ep1.el4
  • hibernate3-annotations-javadoc-0:3.3.1-1.12.GA_CP03.ep1.el4
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el4
  • hsqldb-1:1.8.0.8-3.patch03.1jpp.ep1.3.el4
  • jacorb-0:2.3.0-1jpp.ep1.10.el4
  • jakarta-commons-httpclient-1:3.0.1-1.patch01.1jpp.ep1.4.el4
  • jboss-aop-0:1.5.5-3.CP05.2.ep1.el4
  • jboss-cache-0:1.4.1-6.SP14.1.ep1.el4
  • jboss-remoting-0:2.2.3-3.SP2.ep1.el4
  • jboss-seam-0:1.2.1-1.ep1.24.el4
  • jboss-seam-docs-0:1.2.1-1.ep1.24.el4
  • jbossas-0:4.2.0-6.GA_CP09.6.ep1.el4
  • jbossas-4.2.0.GA_CP09-bin-0:4.2.0-6.GA_CP09.6.ep1.el4
  • jbossas-client-0:4.2.0-6.GA_CP09.6.ep1.el4
  • jbossts-1:4.2.3-1.SP5_CP09.1jpp.ep1.1.el4
  • jbossweb-0:2.0.0-6.CP13.0jpp.ep1.1.el4
  • rh-eap-docs-0:4.2.0-7.GA_CP09.ep1.5.el4
  • rh-eap-docs-examples-0:4.2.0-7.GA_CP09.ep1.5.el4
  • hibernate3-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el4
  • hibernate3-annotations-0:3.3.1-1.12.GA_CP03.ep1.el4
  • hibernate3-annotations-javadoc-0:3.3.1-1.12.GA_CP03.ep1.el4
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el4
  • hsqldb-1:1.8.0.8-3.patch03.1jpp.ep1.3.el4
  • jacorb-0:2.3.0-1jpp.ep1.10.el4
  • jakarta-commons-httpclient-1:3.0.1-1.patch01.1jpp.ep1.4.el4
  • jboss-aop-0:1.5.5-3.CP05.2.ep1.el4
  • jboss-cache-0:1.4.1-6.SP14.1.ep1.el4
  • jboss-messaging-0:1.4.0-3.SP3_CP10.2.ep1.el4
  • jboss-remoting-0:2.2.3-3.SP2.ep1.el4
  • jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el4
  • jboss-seam-docs-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el4
  • jboss-seam2-0:2.0.2.FP-1.ep1.23.el4
  • jboss-seam2-docs-0:2.0.2.FP-1.ep1.23.el4
  • jbossas-0:4.3.0-7.GA_CP08.5.ep1.el4
  • jbossas-4.3.0.GA_CP08-bin-0:4.3.0-7.GA_CP08.5.ep1.el4
  • jbossas-client-0:4.3.0-7.GA_CP08.5.ep1.el4
  • jbossts-1:4.2.3-1.SP5_CP09.1jpp.ep1.1.el4
  • jbossweb-0:2.0.0-6.CP13.0jpp.ep1.1.el4
  • jbossws-0:2.0.1-5.SP2_CP08.1.ep1.el4
  • rh-eap-docs-0:4.3.0-7.GA_CP08.ep1.6.el4
  • rh-eap-docs-examples-0:4.3.0-7.GA_CP08.ep1.6.el4
  • hibernate3-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el5
  • hibernate3-annotations-0:3.3.1-1.12.GA_CP03.ep1.el5
  • hibernate3-annotations-javadoc-0:3.3.1-1.12.GA_CP03.ep1.el5
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el5
  • jacorb-0:2.3.0-1jpp.ep1.10.1.el5
  • jboss-aop-0:1.5.5-3.CP05.2.ep1.1.el5
  • jboss-cache-0:1.4.1-6.SP14.1.ep1.1.el5
  • jboss-remoting-0:2.2.3-3.SP2.ep1.1.el5
  • jboss-seam-0:1.2.1-1.ep1.24.el5
  • jboss-seam-docs-0:1.2.1-1.ep1.24.el5
  • jbossas-0:4.2.0-6.GA_CP09.6.ep1.el5
  • jbossas-4.2.0.GA_CP09-bin-0:4.2.0-6.GA_CP09.6.ep1.el5
  • jbossas-client-0:4.2.0-6.GA_CP09.6.ep1.el5
  • jbossts-1:4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5
  • jbossweb-0:2.0.0-6.CP13.0jpp.ep1.1.1.el5
  • rh-eap-docs-0:4.2.0-7.GA_CP09.ep1.4.1.el5
  • rh-eap-docs-examples-0:4.2.0-7.GA_CP09.ep1.4.1.el5
  • hibernate3-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el5
  • hibernate3-annotations-0:3.3.1-1.12.GA_CP03.ep1.el5
  • hibernate3-annotations-javadoc-0:3.3.1-1.12.GA_CP03.ep1.el5
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el5
  • jacorb-0:2.3.0-1jpp.ep1.10.1.el5
  • jboss-aop-0:1.5.5-3.CP05.2.ep1.1.el5
  • jboss-cache-0:1.4.1-6.SP14.1.ep1.1.el5
  • jboss-messaging-0:1.4.0-3.SP3_CP10.2.ep1.el5
  • jboss-remoting-0:2.2.3-3.SP2.ep1.1.el5
  • jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1
  • jboss-seam-docs-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1
  • jboss-seam2-0:2.0.2.FP-1.ep1.23.el5
  • jboss-seam2-docs-0:2.0.2.FP-1.ep1.23.el5
  • jbossas-0:4.3.0-7.GA_CP08.5.ep1.el5
  • jbossas-4.3.0.GA_CP08-bin-0:4.3.0-7.GA_CP08.5.ep1.el5
  • jbossas-client-0:4.3.0-7.GA_CP08.5.ep1.el5
  • jbossts-1:4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5
  • jbossweb-0:2.0.0-6.CP13.0jpp.ep1.1.1.el5
  • jbossws-0:2.0.1-5.SP2_CP08.1.ep1.1.el5
  • rh-eap-docs-0:4.3.0-7.GA_CP08.ep1.5.el5
  • rh-eap-docs-examples-0:4.3.0-7.GA_CP08.ep1.5.el5
refmap via4
bid 39710
confirm https://bugzilla.redhat.com/show_bug.cgi?id=585899
hp
  • HPSBMU02736
  • SSRT100699
sectrack 1023917
secunia 39563
vupen ADV-2010-0992
xf jboss-webconsole-information-disclosure(58148)
saint via4
bid 39710
description RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass
id web_dev_jbossasver
osvdb 64171
title jboss_application_server_jmx_console_authentication_bypass
type remote
Last major update 28-06-2024 - 17:24
Published 28-04-2010 - 22:30
Last modified 28-06-2024 - 17:24
Back to Top