The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression.
References
Link | Resource |
---|---|
http://rhn.redhat.com/errata/RHSA-2011-1456.html | Vendor Advisory |
http://rhn.redhat.com/errata/RHSA-2011-1798.html | Vendor Advisory |
http://rhn.redhat.com/errata/RHSA-2011-1799.html | Vendor Advisory |
http://rhn.redhat.com/errata/RHSA-2011-1800.html | Vendor Advisory |
http://rhn.redhat.com/errata/RHSA-2011-1805.html | Vendor Advisory |
http://rhn.redhat.com/errata/RHSA-2011-1822.html | |
http://rhn.redhat.com/errata/RHSA-2012-0091.html | Vendor Advisory |
http://rhn.redhat.com/errata/RHSA-2012-1028.html | Vendor Advisory |
http://secunia.com/advisories/47169 | Vendor Advisory |
http://secunia.com/advisories/47866 | Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=750422 |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 02:09
Type | Values Removed | Values Added |
---|---|---|
Summary | The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression. |
Information
Published : 2012-11-23 20:55
Updated : 2024-02-28 12:00
NVD link : CVE-2011-4085
Mitre link : CVE-2011-4085
CVE.ORG link : CVE-2011-4085
JSON object : View
Products Affected
redhat
- jboss_enterprise_brms_platform
- jboss_enterprise_portal_platform
- jboss_enterprise_application_platform
- jboss_enterprise_soa_platform
CWE
CWE-287
Improper Authentication