All the vulnerabilites related to redhat - jboss_application_server
cve-2011-3609
Vulnerability from cvelistv5
Published
2019-11-26 02:03
Modified
2024-08-06 23:37
Severity ?
EPSS score ?
Summary
A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-tracker.debian.org/tracker/CVE-2011-3609 | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3609 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/cve-2011-3609 | x_refsource_MISC | |
| https://www.securityfocus.com/bid/50888 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | JBoss Application Server | JBoss Application Server |
Version: 7 before 7.1.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:37:48.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3609"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3609"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3609"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/50888"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "JBoss Application Server",
"vendor": "JBoss Application Server",
"versions": [
{
"status": "affected",
"version": "7 before 7.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the \"Access-Control-Allow-Origin\" HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery ",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-26T02:03:48",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3609"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3609"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3609"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/50888"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-3609",
"datePublished": "2019-11-26T02:03:48",
"dateReserved": "2011-09-21T00:00:00",
"dateUpdated": "2024-08-06T23:37:48.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-3734
Vulnerability from cvelistv5
Published
2017-10-24 15:00
Modified
2024-08-06 16:22
Severity ?
EPSS score ?
Summary
The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/ | x_refsource_MISC | |
| http://www.securityfocus.com/bid/60429 | vdb-entry, x_refsource_BID | |
| https://bugzilla.redhat.com/show_bug.cgi?id=971637 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:22:00.733Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/"
},
{
"name": "60429",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/60429"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=971637"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2003-06-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-24T14:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/"
},
{
"name": "60429",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/60429"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=971637"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-3734",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/",
"refsource": "MISC",
"url": "https://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/"
},
{
"name": "60429",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/60429"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=971637",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=971637"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-3734",
"datePublished": "2017-10-24T15:00:00",
"dateReserved": "2013-05-31T00:00:00",
"dateUpdated": "2024-08-06T16:22:00.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-3606
Vulnerability from cvelistv5
Published
2019-11-26 01:43
Modified
2024-08-06 23:37
Severity ?
EPSS score ?
Summary
A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-tracker.debian.org/tracker/CVE-2011-3606 | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/cve-2011-3606 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | JBoss Application Server | JBoss Application Server |
Version: 7 before 7.1.0 Beta 1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:37:48.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3606"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3606"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "JBoss Application Server",
"vendor": "JBoss Application Server",
"versions": [
{
"status": "affected",
"version": "7 before 7.1.0 Beta 1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-26T01:43:14",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3606"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3606"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-3606",
"datePublished": "2019-11-26T01:43:14",
"dateReserved": "2011-09-21T00:00:00",
"dateUpdated": "2024-08-06T23:37:48.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-1094
Vulnerability from cvelistv5
Published
2020-03-10 16:19
Modified
2024-08-06 18:45
Severity ?
EPSS score ?
Summary
JBoss AS 7 prior to 7.1.1 and mod_cluster do not handle default hostname in the same way, which can cause the excluded-contexts list to be mismatched and the root context to be exposed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1094 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/cve-2012-1094 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | JBoss AS 7 |
Version: prior to 7.1.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:45:27.400Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1094"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2012-1094"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "JBoss AS 7",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "prior to 7.1.1"
}
]
}
],
"datePublic": "2012-02-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "JBoss AS 7 prior to 7.1.1 and mod_cluster do not handle default hostname in the same way, which can cause the excluded-contexts list to be mismatched and the root context to be exposed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-10T16:19:11",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1094"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2012-1094"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-1094",
"datePublished": "2020-03-10T16:19:11",
"dateReserved": "2012-02-14T00:00:00",
"dateUpdated": "2024-08-06T18:45:27.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-2312
Vulnerability from cvelistv5
Published
2019-12-18 17:47
Modified
2024-08-06 19:26
Severity ?
EPSS score ?
Summary
An Elevated Privileges issue exists in JBoss AS 7 Community Release due to the improper implementation in the security context propagation, A threat gets reused from the thread pool that still retains the security context from the process last used, which lets a local user obtain elevated privileges.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-tracker.debian.org/tracker/CVE-2012-2312 | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2312 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/cve-2012-2312 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | JBoss AS 7 | JBoss |
Version: AS 7 Community Release |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:26:09.332Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2312"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2312"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2012-2312"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "JBoss",
"vendor": "JBoss AS 7",
"versions": [
{
"status": "affected",
"version": "AS 7 Community Release"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Elevated Privileges issue exists in JBoss AS 7 Community Release due to the improper implementation in the security context propagation, A threat gets reused from the thread pool that still retains the security context from the process last used, which lets a local user obtain elevated privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "UNKNOWN_TYPE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-18T17:47:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2312"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2312"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2012-2312"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-2312",
"datePublished": "2019-12-18T17:47:01",
"dateReserved": "2012-04-19T00:00:00",
"dateUpdated": "2024-08-06T19:26:09.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-12-18 18:15
Modified
2024-11-21 01:38
Severity ?
Summary
An Elevated Privileges issue exists in JBoss AS 7 Community Release due to the improper implementation in the security context propagation, A threat gets reused from the thread pool that still retains the security context from the process last used, which lets a local user obtain elevated privileges.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/cve-2012-2312 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2312 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | https://security-tracker.debian.org/tracker/CVE-2012-2312 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/cve-2012-2312 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2312 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/CVE-2012-2312 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_application_server | 7.1.0 | |
| redhat | jboss_application_server | 7.1.1 | |
| redhat | jboss_enterprise_application_platform | 6.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.1.0:*:*:*:community:*:*:*",
"matchCriteriaId": "C257394F-F187-4785-8716-9281DDAA6494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.1.1:*:*:*:community:*:*:*",
"matchCriteriaId": "296F4B0F-50D0-49F6-8EF4-80AC8EBB1F55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "9444B161-7249-4D9A-B449-92FC8AD952B8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An Elevated Privileges issue exists in JBoss AS 7 Community Release due to the improper implementation in the security context propagation, A threat gets reused from the thread pool that still retains the security context from the process last used, which lets a local user obtain elevated privileges."
},
{
"lang": "es",
"value": "Se presenta un problema de privilegios elevados en JBoss AS 7 Community Release, debido a la implementaci\u00f3n inapropiada en la propagaci\u00f3n del contexto de seguridad. Se reutiliza una amenaza del grupo de hilos (subprocesos) que a\u00fan conserva el contexto de seguridad del \u00faltimo proceso utilizado, lo que permite a un usuario local obtener privilegios elevados."
}
],
"id": "CVE-2012-2312",
"lastModified": "2024-11-21T01:38:51.913",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-18T18:15:15.677",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/security/cve/cve-2012-2312"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2312"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2312"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/security/cve/cve-2012-2312"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2312"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2312"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-24 15:29
Modified
2024-11-21 01:54
Severity ?
Summary
The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/60429 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://bugzilla.redhat.com/show_bug.cgi?id=971637 | Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/ | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/60429 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=971637 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/ | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_application_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9D33F1BE-A4DB-4FE5-9AD2-CF257DEE7FF1",
"versionEndIncluding": "1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console"
},
{
"lang": "es",
"value": "**EN DISPUTA** El componente Embedded Jopr en JBoss Application Server incluye la contrase\u00f1a del origen de datos en texto en claro en respuestas HTML no especificadas, lo que podr\u00eda permitir (1) que atacantes Man-in-the-Middle (MitM) obtengan informaci\u00f3n sensible aprovechando que no se puede utilizar SSL o (2) que los atacantes obtengan informaci\u00f3n sensible leyendo el c\u00f3digo fuente HTML. NOTA: el fabricante dice que no traspasa ning\u00fan l\u00edmite de confianza y que el hecho de que el SSL est\u00e9 configurado para la consola administrativa es una buena pr\u00e1ctica recomendada."
}
],
"id": "CVE-2013-3734",
"lastModified": "2024-11-21T01:54:11.850",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.7,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-24T15:29:00.200",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/60429"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=971637"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/60429"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=971637"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-10 17:15
Modified
2024-11-21 01:36
Severity ?
Summary
JBoss AS 7 prior to 7.1.1 and mod_cluster do not handle default hostname in the same way, which can cause the excluded-contexts list to be mismatched and the root context to be exposed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/cve-2012-1094 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1094 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/cve-2012-1094 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1094 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_application_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2C111080-0F04-4908-AC1C-150FDC0A6C8C",
"versionEndExcluding": "7.1.1",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "JBoss AS 7 prior to 7.1.1 and mod_cluster do not handle default hostname in the same way, which can cause the excluded-contexts list to be mismatched and the root context to be exposed."
},
{
"lang": "es",
"value": "JBoss AS versiones 7 anteriores a la versi\u00f3n 7.1.1 y mod_cluster no manejan el nombre de host predeterminado de la misma manera, lo que puede causar que la lista de contextos excluidos sea contrastada inapropiadamente y que el contexto root sea expuesto."
}
],
"id": "CVE-2012-1094",
"lastModified": "2024-11-21T01:36:24.403",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-10T17:15:12.487",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/security/cve/cve-2012-1094"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1094"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/security/cve/cve-2012-1094"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1094"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-26 03:15
Modified
2024-11-21 01:30
Severity ?
Summary
A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/cve-2011-3609 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3609 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://security-tracker.debian.org/tracker/CVE-2011-3609 | Third Party Advisory | |
| secalert@redhat.com | https://www.securityfocus.com/bid/50888 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/cve-2011-3609 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3609 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/CVE-2011-3609 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/50888 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.1 | |
| redhat | jboss_application_server | 7.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F239FDAE-4DA4-4F60-BD6F-FBFA48836690",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "481E63A2-DB87-4BA5-8AA5-04CB765EB203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "6819992D-FB7D-4E07-91AD-8C25A8666E4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "46594B25-73C0-4D03-BD52-3F97BC2EB72D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "D8E9DC45-A43B-47BD-B819-A017CD28F20B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:cr1:*:*:*:*:*:*",
"matchCriteriaId": "0966EA02-E802-48BC-A8A9-D0712921A56D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8BC0CB87-8FCD-4E20-935F-71E8206656F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1CE04DE7-01AC-4C55-B5F4-1A5F39132FBC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the \"Access-Control-Allow-Origin\" HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker."
},
{
"lang": "es",
"value": "Se encontr\u00f3 un problema CSRF en JBoss Application Server 7 versiones anteriores a 7.1.0. JBoss no restringi\u00f3 apropiadamente el acceso a la informaci\u00f3n de la consola de administraci\u00f3n (por ejemplo, por medio del flag de control de acceso HTTP \"Access-Control-Allow-Origin\"). Esto puede conllevar a una filtrado de informaci\u00f3n no autorizado si un usuario con privilegios de administrador visita una p\u00e1gina web especialmente dise\u00f1ada por parte de un atacante remoto."
}
],
"id": "CVE-2011-3609",
"lastModified": "2024-11-21T01:30:50.653",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-26T03:15:10.787",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3609"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3609"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3609"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/50888"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3609"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/50888"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-26 02:15
Modified
2024-11-21 01:30
Severity ?
Summary
A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/cve-2011-3606 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://security-tracker.debian.org/tracker/CVE-2011-3606 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/cve-2011-3606 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/CVE-2011-3606 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.0 | |
| redhat | jboss_application_server | 7.0.1 | |
| redhat | jboss_application_server | 7.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F239FDAE-4DA4-4F60-BD6F-FBFA48836690",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "481E63A2-DB87-4BA5-8AA5-04CB765EB203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "6819992D-FB7D-4E07-91AD-8C25A8666E4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "46594B25-73C0-4D03-BD52-3F97BC2EB72D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "D8E9DC45-A43B-47BD-B819-A017CD28F20B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.0:cr1:*:*:*:*:*:*",
"matchCriteriaId": "0966EA02-E802-48BC-A8A9-D0712921A56D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8BC0CB87-8FCD-4E20-935F-71E8206656F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_application_server:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1CE04DE7-01AC-4C55-B5F4-1A5F39132FBC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution."
},
{
"lang": "es",
"value": "Se encontr\u00f3 un fallo de tipo cross-site scripting basado en DOM en la consola de administraci\u00f3n de JBoss Application Server 7 versiones anteriores 7.1.0 Beta 1. Un atacante remoto podr\u00eda proveer una p\u00e1gina web especialmente dise\u00f1ada y enga\u00f1ar al usuario AS de JBoss v\u00e1lido, con el privilegio de administrador, para visitarla, lo que conllevar\u00eda a la modificaci\u00f3n del entorno DOM y a una ejecuci\u00f3n de un script web o HTML arbitrario."
}
],
"id": "CVE-2011-3606",
"lastModified": "2024-11-21T01:30:50.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-26T02:15:10.637",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3606"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3606"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3606"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3606"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}