Description

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class.

Remediation

References

CVE-2013-2133

Related Vulnerabilities

WordPress Plugin Genesis Simple Defaults Arbitrary File Upload (1.0.0)

Jenkins Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-1814)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-3178)

WordPress Plugin VikRentCar Car Rental Management System Cross-Site Request Forgery (1.1.6)

WordPress Plugin Clean Login Cross-Site Scripting (1.12.6.3)

Severity

Medium

Classification

CVE-2013-2133 CWE-264

Tags

Missing Update Known Vulnerabilities