Permissions, Privileges, and Access Controls in JBoss Enterprise Application Platform



| Updated: 2020-08-09
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2014-7849
CWE-ID CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
 JBoss Enterprise Application Platform
Server applications / Application servers

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU40893

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-7849

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote #AU# to manipulate data.

The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote authenticated users to add, modify, and undefine otherwise restricted attributes by leveraging the Maintainer role.

Mitigation

Install update from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 6.2.0 - 6.3.2

CPE2.3 External links

https://rhn.redhat.com/errata/RHSA-2015-0215.html
https://rhn.redhat.com/errata/RHSA-2015-0216.html
https://rhn.redhat.com/errata/RHSA-2015-0217.html
https://rhn.redhat.com/errata/RHSA-2015-0218.html
https://rhn.redhat.com/errata/RHSA-2015-0920.html
https://www.securitytracker.com/id/1031741
https://bugzilla.redhat.com/show_bug.cgi?id=1165170
https://exchange.xforce.ibmcloud.com/vulnerabilities/100890


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###