Description

The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.

Remediation

References

CVE-2012-4549

Related Vulnerabilities

WordPress Plugin WordPress Contact Forms by Cimatti Cross-Site Scripting (1.4.11)

WordPress Plugin SP Project & Document Manager Arbitrary File Upload (4.22)

WordPress Plugin MiwoFTP-File & Folder Manager Multiple Vulnerabilities (1.0.5)

Roundcube Improper Input Validation Vulnerability (CVE-2011-1491)

Plone CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-23599)

Severity

Medium

Classification

CVE-2012-4549 CWE-264

Tags

Missing Update Known Vulnerabilities