1. CVE-Search
  2. CVE-2010-0738
ID CVE-2010-0738
Summary The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:-:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:-:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:-:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:-:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 28-06-2024 - 17:29)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • rhsa
    id RHSA-2010:0376
  • rhsa
    id RHSA-2010:0377
  • rhsa
    id RHSA-2010:0378
  • rhsa
    id RHSA-2010:0379
rpms
  • hibernate3-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el4
  • hibernate3-annotations-0:3.3.1-1.12.GA_CP03.ep1.el4
  • hibernate3-annotations-javadoc-0:3.3.1-1.12.GA_CP03.ep1.el4
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el4
  • hsqldb-1:1.8.0.8-3.patch03.1jpp.ep1.3.el4
  • jacorb-0:2.3.0-1jpp.ep1.10.el4
  • jakarta-commons-httpclient-1:3.0.1-1.patch01.1jpp.ep1.4.el4
  • jboss-aop-0:1.5.5-3.CP05.2.ep1.el4
  • jboss-cache-0:1.4.1-6.SP14.1.ep1.el4
  • jboss-remoting-0:2.2.3-3.SP2.ep1.el4
  • jboss-seam-0:1.2.1-1.ep1.24.el4
  • jboss-seam-docs-0:1.2.1-1.ep1.24.el4
  • jbossas-0:4.2.0-6.GA_CP09.6.ep1.el4
  • jbossas-4.2.0.GA_CP09-bin-0:4.2.0-6.GA_CP09.6.ep1.el4
  • jbossas-client-0:4.2.0-6.GA_CP09.6.ep1.el4
  • jbossts-1:4.2.3-1.SP5_CP09.1jpp.ep1.1.el4
  • jbossweb-0:2.0.0-6.CP13.0jpp.ep1.1.el4
  • rh-eap-docs-0:4.2.0-7.GA_CP09.ep1.5.el4
  • rh-eap-docs-examples-0:4.2.0-7.GA_CP09.ep1.5.el4
  • hibernate3-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el4
  • hibernate3-annotations-0:3.3.1-1.12.GA_CP03.ep1.el4
  • hibernate3-annotations-javadoc-0:3.3.1-1.12.GA_CP03.ep1.el4
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el4
  • hsqldb-1:1.8.0.8-3.patch03.1jpp.ep1.3.el4
  • jacorb-0:2.3.0-1jpp.ep1.10.el4
  • jakarta-commons-httpclient-1:3.0.1-1.patch01.1jpp.ep1.4.el4
  • jboss-aop-0:1.5.5-3.CP05.2.ep1.el4
  • jboss-cache-0:1.4.1-6.SP14.1.ep1.el4
  • jboss-messaging-0:1.4.0-3.SP3_CP10.2.ep1.el4
  • jboss-remoting-0:2.2.3-3.SP2.ep1.el4
  • jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el4
  • jboss-seam-docs-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el4
  • jboss-seam2-0:2.0.2.FP-1.ep1.23.el4
  • jboss-seam2-docs-0:2.0.2.FP-1.ep1.23.el4
  • jbossas-0:4.3.0-7.GA_CP08.5.ep1.el4
  • jbossas-4.3.0.GA_CP08-bin-0:4.3.0-7.GA_CP08.5.ep1.el4
  • jbossas-client-0:4.3.0-7.GA_CP08.5.ep1.el4
  • jbossts-1:4.2.3-1.SP5_CP09.1jpp.ep1.1.el4
  • jbossweb-0:2.0.0-6.CP13.0jpp.ep1.1.el4
  • jbossws-0:2.0.1-5.SP2_CP08.1.ep1.el4
  • rh-eap-docs-0:4.3.0-7.GA_CP08.ep1.6.el4
  • rh-eap-docs-examples-0:4.3.0-7.GA_CP08.ep1.6.el4
  • hibernate3-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el5
  • hibernate3-annotations-0:3.3.1-1.12.GA_CP03.ep1.el5
  • hibernate3-annotations-javadoc-0:3.3.1-1.12.GA_CP03.ep1.el5
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el5
  • jacorb-0:2.3.0-1jpp.ep1.10.1.el5
  • jboss-aop-0:1.5.5-3.CP05.2.ep1.1.el5
  • jboss-cache-0:1.4.1-6.SP14.1.ep1.1.el5
  • jboss-remoting-0:2.2.3-3.SP2.ep1.1.el5
  • jboss-seam-0:1.2.1-1.ep1.24.el5
  • jboss-seam-docs-0:1.2.1-1.ep1.24.el5
  • jbossas-0:4.2.0-6.GA_CP09.6.ep1.el5
  • jbossas-4.2.0.GA_CP09-bin-0:4.2.0-6.GA_CP09.6.ep1.el5
  • jbossas-client-0:4.2.0-6.GA_CP09.6.ep1.el5
  • jbossts-1:4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5
  • jbossweb-0:2.0.0-6.CP13.0jpp.ep1.1.1.el5
  • rh-eap-docs-0:4.2.0-7.GA_CP09.ep1.4.1.el5
  • rh-eap-docs-examples-0:4.2.0-7.GA_CP09.ep1.4.1.el5
  • hibernate3-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el5
  • hibernate3-annotations-0:3.3.1-1.12.GA_CP03.ep1.el5
  • hibernate3-annotations-javadoc-0:3.3.1-1.12.GA_CP03.ep1.el5
  • hibernate3-javadoc-1:3.2.4-1.SP1_CP10.0jpp.ep1.1.el5
  • jacorb-0:2.3.0-1jpp.ep1.10.1.el5
  • jboss-aop-0:1.5.5-3.CP05.2.ep1.1.el5
  • jboss-cache-0:1.4.1-6.SP14.1.ep1.1.el5
  • jboss-messaging-0:1.4.0-3.SP3_CP10.2.ep1.el5
  • jboss-remoting-0:2.2.3-3.SP2.ep1.1.el5
  • jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1
  • jboss-seam-docs-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.20.el5.1
  • jboss-seam2-0:2.0.2.FP-1.ep1.23.el5
  • jboss-seam2-docs-0:2.0.2.FP-1.ep1.23.el5
  • jbossas-0:4.3.0-7.GA_CP08.5.ep1.el5
  • jbossas-4.3.0.GA_CP08-bin-0:4.3.0-7.GA_CP08.5.ep1.el5
  • jbossas-client-0:4.3.0-7.GA_CP08.5.ep1.el5
  • jbossts-1:4.2.3-1.SP5_CP09.1jpp.ep1.1.1.el5
  • jbossweb-0:2.0.0-6.CP13.0jpp.ep1.1.1.el5
  • jbossws-0:2.0.1-5.SP2_CP08.1.ep1.1.el5
  • rh-eap-docs-0:4.3.0-7.GA_CP08.ep1.5.el5
  • rh-eap-docs-examples-0:4.3.0-7.GA_CP08.ep1.5.el5
refmap via4
bid 39710
confirm
hp
  • HPSBMU02714
  • SSRT100244
sectrack 1023918
secunia 39563
sreason 8408
vupen ADV-2010-0992
xf jboss-jmxconsole-security-bypass(58147)
saint via4
bid 39710
description RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass
id web_dev_jbossasver
osvdb 64171
title jboss_application_server_jmx_console_authentication_bypass
type remote
Last major update 28-06-2024 - 17:29
Published 28-04-2010 - 22:30
Last modified 28-06-2024 - 17:29
Back to Top