Vulnerability Details CVE-2010-1428
The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.65
EPSS Ranking 98.4%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
Proposed Action
Unauthenticated access to the JBoss Application Server Web Console (/web-console) is blocked by default. However, it was found that this block was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker could use this flaw to gain access to sensitive information.
Ransomware Campaign
Known
References
- http://marc.info/?l=bugtraq&m=132698550418872&w=2
- http://marc.info/?l=bugtraq&m=132698550418872&w=2
- http://marc.info/?l=bugtraq&m=132698550418872&w=2
- http://marc.info/?l=bugtraq&m=132698550418872&w=2
- http://secunia.com/advisories/39563
- http://securitytracker.com/id?1023917
- http://www.securityfocus.com/bid/39710
- http://www.vupen.com/english/advisories/2010/0992
- https://bugzilla.redhat.com/show_bug.cgi?id=585899
- https://exchange.xforce.ibmcloud.com/vulnerabilities/58148
- https://rhn.redhat.com/errata/RHSA-2010-0376.html
- https://rhn.redhat.com/errata/RHSA-2010-0377.html
- https://rhn.redhat.com/errata/RHSA-2010-0378.html
- https://rhn.redhat.com/errata/RHSA-2010-0379.html
- http://marc.info/?l=bugtraq&m=132698550418872&w=2
- http://marc.info/?l=bugtraq&m=132698550418872&w=2
- http://marc.info/?l=bugtraq&m=132698550418872&w=2
- http://marc.info/?l=bugtraq&m=132698550418872&w=2
- http://secunia.com/advisories/39563
- http://securitytracker.com/id?1023917
- http://www.securityfocus.com/bid/39710
- http://www.vupen.com/english/advisories/2010/0992
- https://bugzilla.redhat.com/show_bug.cgi?id=585899
- https://exchange.xforce.ibmcloud.com/vulnerabilities/58148
- https://rhn.redhat.com/errata/RHSA-2010-0376.html
- https://rhn.redhat.com/errata/RHSA-2010-0377.html
- https://rhn.redhat.com/errata/RHSA-2010-0378.html
- https://rhn.redhat.com/errata/RHSA-2010-0379.html
Products affected by CVE-2010-1428
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0