Description
mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server, which allows remote attackers to bypass access restrictions and gain access to applications deployed on the root context via unspecified vectors.
Remediation
References
http://rhn.redhat.com/errata/RHSA-2012-1010.html
http://rhn.redhat.com/errata/RHSA-2012-1011.html
http://rhn.redhat.com/errata/RHSA-2012-1012.html
http://rhn.redhat.com/errata/RHSA-2012-1052.html
http://rhn.redhat.com/errata/RHSA-2012-1053.html
http://rhn.redhat.com/errata/RHSA-2012-1166.html
http://secunia.com/advisories/49636
https://bugzilla.redhat.com/show_bug.cgi?id=802200
https://community.jboss.org/message/624018
https://issues.jboss.org/browse/MODCLUSTER-253
Related Vulnerabilities
CVE-2022-45384 Vulnerability in maven package org.jenkins-ci.plugins:reverse-proxy-auth-plugin
CVE-2023-33942 Vulnerability in maven package com.liferay:com.liferay.asset.browser.web
CVE-2023-46233 Vulnerability in npm package crypto-js
CVE-2020-15842 Vulnerability in maven package com.liferay:com.liferay.portal.template.freemarker
CVE-2018-8032 Vulnerability in maven package org.apache.axis:axis