Multiple vulnerabilities in JBoss Application Server
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2011-3609 CVE-2011-3606 |
| CWE-ID | CWE-352 CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
JBoss Application Server Server applications / Application servers |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site request forgery
EUVDB-ID: #VU35036
Risk: Medium
CVSSv3.1: 6 [AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2011-3609
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as lead to unauthorized information leak if a user with admin privileges visits a specially-crafted web page provided by a remote attacker.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsJBoss Application Server: 7.0.0 - 7.0.2
CPE2.3- cpe:2.3:a:red_hat:jboss_application_server:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_application_server:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_application_server:7.0.2:*:*:*:*:*:*:*
http://access.redhat.com/security/cve/cve-2011-3609
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3609
http://security-tracker.debian.org/tracker/CVE-2011-3609
http://www.securityfocus.com/bid/50888
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU35038
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-3606
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modification and arbitrary HTML or web script execution.
MitigationInstall update from vendor's website.
Vulnerable software versionsJBoss Application Server: 7.0.0 - 7.0.2
CPE2.3- cpe:2.3:a:red_hat:jboss_application_server:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_application_server:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_application_server:7.0.2:*:*:*:*:*:*:*
http://access.redhat.com/security/cve/cve-2011-3606
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606
http://security-tracker.debian.org/tracker/CVE-2011-3606
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
