Description

The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.

Remediation

References

CVE-2012-4549

Related Vulnerabilities

WordPress Plugin IMPress for IDX Broker Multiple Vulnerabilities (2.6.1)

PHP Other Vulnerability (CVE-2014-4670)

PHP Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2008-2666)

Dotclear Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-5651)

Drupal Core 8.x.x Multiple Security Bypass Vulnerabilities (8.0.0 - 8.8.12)

Severity

Medium

Classification

CVE-2012-4549 CWE-264

Tags

Missing Update Known Vulnerabilities