Vulnerability Details CVE-2005-4709
The popSubjectContext method in the SecurityAssociation class in JBoss Enterprise Java Beans (EJB) 3.0 RC3 maintains the threadPrincipal and threadCredential values from a previous client's authentication after termination of a client session, which allows remote attackers to gain the roles of an arbitrary previous client who had the same JBoss server thread.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 64.9%
CVSS Severity
CVSS v2 Score 5.0
References
- http://jira.jboss.com/jira/browse/EJBTHREE-384
- http://www.vupen.com/english/advisories/2006/0374
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24384
- http://jira.jboss.com/jira/browse/EJBTHREE-384
- http://www.vupen.com/english/advisories/2006/0374
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24384
Products affected by CVE-2005-4709
-
cpe:2.3:a:jboss:enterprise_java_beans:3.0_rc3