1. CVE-Search
  2. CVE-2008-3519
ID CVE-2008-3519
Summary The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the DownloadServerClasses property to true, which allows remote attackers to obtain sensitive information (non-EJB classes) via a download request, a different vulnerability than CVE-2008-3273.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp01:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp01:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp02:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp02:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:cp03:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:cp03:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:cp01:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:cp01:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 08-08-2017 - 01:31)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • rhsa
    id RHSA-2008:0831
  • rhsa
    id RHSA-2008:0832
  • rhsa
    id RHSA-2008:0833
  • rhsa
    id RHSA-2008:0834
rpms
  • glassfish-jaf-0:1.1.0-0jpp.ep1.12.el4
  • glassfish-javamail-0:1.4.0-0jpp.ep1.10.el4
  • glassfish-jaxb-0:2.1.4-1jpp.ep1.2.el4
  • glassfish-jaxb-javadoc-0:2.1.4-1jpp.ep1.2.el4
  • glassfish-jaxws-0:2.1.1-1jpp.ep1.3.el4
  • glassfish-jstl-0:1.2.0-0jpp.ep1.10.el4
  • hibernate3-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el4
  • hibernate3-annotations-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el4
  • hibernate3-annotations-javadoc-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el4
  • hibernate3-commons-annotations-0:0.0.0-1.1jpp.ep1.1.el4
  • hibernate3-entitymanager-0:3.2.1-2.GA_CP03.1jpp.ep1.9.el4
  • hibernate3-entitymanager-javadoc-0:3.2.1-2.GA_CP03.1jpp.ep1.9.el4
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el4
  • hibernate3-validator-0:0.0.0-1.1jpp.ep1.1.el4
  • jakarta-commons-beanutils-0:1.7.0-2jpp.ep1.5.el4
  • javassist-0:3.8.0-1.ep1.el4
  • jboss-aop-0:1.5.5-2.CP02.0jpp.ep1.2.el4
  • jboss-jaxr-0:1.2.0-SP1.0jpp.ep1.4.el4
  • jboss-messaging-0:1.4.0-1.SP3_CP03.0jpp.ep1.3.el4
  • jboss-remoting-0:2.2.2-3.SP9.0jpp.ep1.1.el4
  • jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.10.el4
  • jboss-seam-docs-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.10.el4
  • jbossas-0:4.3.0-2.GA_CP02.ep1.10.el4
  • jbossts-1:4.2.3-1.SP5_CP02.1jpp.ep1.1.el4
  • jbossweb-0:2.0.0-4.CP06.0jpp.ep1.1.el4
  • jbossws-0:2.0.1-2.SP2_CP03.0jpp.ep1.1.el4
  • jbossws-common-0:1.0.0-1.GA_CP01.0jpp.ep1.3.el4
  • jbossws-framework-0:2.0.1-0jpp.ep1.11.el4
  • jbossxb-0:1.0.0-2.SP3.0jpp.ep1.3.el4
  • rh-eap-docs-0:4.3.0-3.GA_CP02.ep1.9.el4
  • rh-eap-docs-examples-0:4.3.0-3.GA_CP02.ep1.9.el4
  • glassfish-jaf-0:1.1.0-0jpp.ep1.12.el5.1
  • glassfish-javamail-0:1.4.0-0jpp.ep1.10.el5
  • glassfish-jaxb-0:2.1.4-1jpp.ep1.4.el5.2
  • glassfish-jaxws-0:2.1.1-1jpp.ep1.3.el5
  • glassfish-jstl-0:1.2.0-0jpp.ep1.10.el5
  • hibernate3-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el5
  • hibernate3-annotations-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el5.1
  • hibernate3-annotations-javadoc-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el5.1
  • hibernate3-commons-annotations-0:0.0.0-1.1jpp.ep1.1.el5
  • hibernate3-entitymanager-0:3.2.1-2.GA_CP03.1jpp.ep1.9.el5
  • hibernate3-entitymanager-javadoc-0:3.2.1-2.GA_CP03.1jpp.ep1.9.el5
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el5
  • hibernate3-validator-0:0.0.0-1.1jpp.ep1.1.el5
  • javassist-0:3.8.0-1jpp.ep1.2.el5
  • jboss-aop-0:1.5.5-2.CP02.0jpp.ep1.2.el5
  • jboss-jaxr-0:1.2.0-SP1.0jpp.ep1.4.el5
  • jboss-messaging-0:1.4.0-1.SP3_CP03.0jpp.ep1.3.el5
  • jboss-remoting-0:2.2.2-3.SP9.0jpp.ep1.2.el5
  • jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.7.el5.1
  • jboss-seam-docs-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.7.el5.1
  • jbossas-0:4.3.0-2.GA_CP02.ep1.10.el5.2
  • jbossts-1:4.2.3-1.SP5_CP02.1jpp.ep1.2.el5
  • jbossweb-0:2.0.0-4.CP06.0jpp.ep1.1.el5
  • jbossws-0:2.0.1-2.SP2_CP03.0jpp.ep1.1.el5.1
  • jbossws-common-0:1.0.0-1.GA_CP01.0jpp.ep1.3.el5
  • jbossws-framework-0:2.0.1-0jpp.ep1.11.el5
  • jbossxb-0:1.0.0-2.SP3.0jpp.ep1.3.el5.1
  • rh-eap-docs-0:4.3.0-2.GA_CP02.ep1.6.el5
  • glassfish-jaf-0:1.1.0-0jpp.ep1.12.el4
  • glassfish-javamail-0:1.4.0-0jpp.ep1.10.el4
  • glassfish-jstl-0:1.2.0-0jpp.ep1.10.el4
  • hibernate3-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el4
  • hibernate3-annotations-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el4
  • hibernate3-annotations-javadoc-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el4
  • hibernate3-commons-annotations-0:0.0.0-1.1jpp.ep1.1.el4
  • hibernate3-entitymanager-0:3.2.1-2.GA_CP03.1jpp.ep1.9.el4
  • hibernate3-entitymanager-javadoc-0:3.2.1-2.GA_CP03.1jpp.ep1.9.el4
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el4
  • hibernate3-validator-0:0.0.0-1.1jpp.ep1.1.el4
  • jakarta-commons-beanutils-0:1.7.0-2jpp.ep1.5.el4
  • javassist-0:3.8.0-1.ep1.el4
  • jboss-aop-0:1.5.5-2.CP02.0jpp.ep1.2.el4
  • jboss-jaxr-0:1.2.0-SP1.0jpp.ep1.4.el4
  • jboss-remoting-0:2.2.2-3.SP9.0jpp.ep1.1.el4
  • jboss-seam-0:1.2.1-1.ep1.10.el4
  • jboss-seam-docs-0:1.2.1-1.ep1.10.el4
  • jbossas-0:4.2.0-3.GA_CP04.ep1.8.el4
  • jbossts-1:4.2.3-1.SP5_CP02.1jpp.ep1.1.el4
  • jbossweb-0:2.0.0-4.CP06.0jpp.ep1.1.el4
  • jbossxb-0:1.0.0-2.SP3.0jpp.ep1.3.el4
  • rh-eap-docs-0:4.2.0-4.GA_CP04.ep1.5.el4
  • rh-eap-docs-examples-0:4.2.0-4.GA_CP04.ep1.5.el4
  • glassfish-jaf-0:1.1.0-0jpp.ep1.12.el5.1
  • glassfish-javamail-0:1.4.0-0jpp.ep1.10.el5
  • glassfish-jstl-0:1.2.0-0jpp.ep1.10.el5
  • hibernate3-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el5
  • hibernate3-annotations-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el5.1
  • hibernate3-annotations-javadoc-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el5.1
  • hibernate3-commons-annotations-0:0.0.0-1.1jpp.ep1.1.el5
  • hibernate3-entitymanager-0:3.2.1-2.GA_CP03.1jpp.ep1.9.el5
  • hibernate3-entitymanager-javadoc-0:3.2.1-2.GA_CP03.1jpp.ep1.9.el5
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el5
  • hibernate3-validator-0:0.0.0-1.1jpp.ep1.1.el5
  • javassist-0:3.8.0-1jpp.ep1.2.el5
  • jboss-aop-0:1.5.5-2.CP02.0jpp.ep1.2.el5
  • jboss-jaxr-0:1.2.0-SP1.0jpp.ep1.4.el5
  • jboss-remoting-0:2.2.2-3.SP9.0jpp.ep1.2.el5
  • jboss-seam-0:1.2.1-1.ep1.9.el5
  • jboss-seam-docs-0:1.2.1-1.ep1.9.el5
  • jbossas-0:4.2.0-4.GA_CP04.ep1.7.el5.6
  • jbossts-1:4.2.3-1.SP5_CP02.1jpp.ep1.2.el5
  • jbossweb-0:2.0.0-4.CP06.0jpp.ep1.1.el5
  • jbossxb-0:1.0.0-2.SP3.0jpp.ep1.3.el5.1
  • rh-eap-docs-0:4.2.0-4.GA_CP04.ep1.3.el5
  • rh-eap-docs-examples-0:4.2.0-4.GA_CP04.ep1.3.el5
refmap via4
bid 31300
confirm http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=458823
misc
sectrack 1020905
xf jboss-downloadserverclasses-info-disclosure(45305)
Last major update 08-08-2017 - 01:31
Published 23-09-2008 - 15:24
Last modified 08-08-2017 - 01:31
Back to Top