#VU40893 Permissions, Privileges, and Access Controls in JBoss Enterprise Application Platform - CVE-2014-7849

Cybersecurity Help s.r.o.

Published: 2015-02-13 | Updated: 2020-08-09

Vulnerability identifier: #VU40893

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-7849

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
JBoss Enterprise Application Platform
Server applications / Application servers

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote #AU# to manipulate data.

The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote authenticated users to add, modify, and undefine otherwise restricted attributes by leveraging the Maintainer role.

Mitigation
Install update from vendor's website.

Vulnerable software versions

JBoss Enterprise Application Platform: 6.2.0 - 6.3.2

External links
https://rhn.redhat.com/errata/RHSA-2015-0215.html
https://rhn.redhat.com/errata/RHSA-2015-0216.html
https://rhn.redhat.com/errata/RHSA-2015-0217.html
https://rhn.redhat.com/errata/RHSA-2015-0218.html
https://rhn.redhat.com/errata/RHSA-2015-0920.html
https://www.securitytracker.com/id/1031741
https://bugzilla.redhat.com/show_bug.cgi?id=1165170
https://exchange.xforce.ibmcloud.com/vulnerabilities/100890

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Permissions, Privileges, and Access Controls in JBoss Enterprise Application Platform