Description
mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server, which allows remote attackers to bypass access restrictions and gain access to applications deployed on the root context via unspecified vectors.
Remediation
References
http://rhn.redhat.com/errata/RHSA-2012-1010.html
http://rhn.redhat.com/errata/RHSA-2012-1011.html
http://rhn.redhat.com/errata/RHSA-2012-1012.html
http://rhn.redhat.com/errata/RHSA-2012-1052.html
http://rhn.redhat.com/errata/RHSA-2012-1053.html
http://rhn.redhat.com/errata/RHSA-2012-1166.html
http://secunia.com/advisories/49636
https://bugzilla.redhat.com/show_bug.cgi?id=802200
https://community.jboss.org/message/624018
https://issues.jboss.org/browse/MODCLUSTER-253
Related Vulnerabilities
CVE-2015-8854 Vulnerability in maven package org.webjars:marked
CVE-2022-36084 Vulnerability in npm package cruddl
CVE-2023-40027 Vulnerability in npm package @keystone-6/core
CVE-2021-21640 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2018-1000012 Vulnerability in maven package org.jvnet.hudson.plugins:warnings