CVE-2012-1167

CVE	CVE-2012-1167
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2012-11-23 20:55:00 UTC
Updated	2017-08-29 01:31:00 UTC
Description	The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications.

Problem Types: CWE-264

Type	Vendor	Product	Version	Update	Edition	Language
Application	Redhat	Jboss Enterprise Application Platform	5.1.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	5.1.1	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	5.2.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	5.2.1	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	5.1.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	5.1.1	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	5.2.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	5.2.1	All	All	All
Application	Redhat	Jboss Enterprise Brms Platform	All	All	All	All
Application	Redhat	Jboss Enterprise Soa Platform	5.0.0	All	All	All
Application	Redhat	Jboss Enterprise Soa Platform	5.0.1	All	All	All
Application	Redhat	Jboss Enterprise Soa Platform	5.0.2	All	All	All
Application	Redhat	Jboss Enterprise Soa Platform	5.1.0	All	All	All
Application	Redhat	Jboss Enterprise Soa Platform	5.1.1	All	All	All
Application	Redhat	Jboss Enterprise Soa Platform	5.0.0	All	All	All
Application	Redhat	Jboss Enterprise Soa Platform	5.0.1	All	All	All
Application	Redhat	Jboss Enterprise Soa Platform	5.0.2	All	All	All
Application	Redhat	Jboss Enterprise Soa Platform	5.1.0	All	All	All
Application	Redhat	Jboss Enterprise Soa Platform	5.1.1	All	All	All
Application	Redhat	Jboss Enterprise Soa Platform	All	All	All	All
Application	Redhat	Jboss Enterprise Web Platform	5.1.0	All	All	All
Application	Redhat	Jboss Enterprise Web Platform	5.1.0	All	All	All
Application	Redhat	Jboss Enterprise Web Platform	All	All	All	All

Reference	Source	Link	Tags
Security Advisory SA49658 - Red Hat update for JBoss Enterprise Products - Secunia	SECUNIA	secunia.com	Vendor Advisory
802622 – (CVE-2012-1167) CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm	MISC	bugzilla.redhat.com
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
Security Advisory SA49635 - Red Hat update for JBoss Enterprise Application Platform and JBoss Enterprise Web Platform - Secunia	SECUNIA	secunia.com	Vendor Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Vendor Advisory
RHSA-2012:1125	REDHAT	rhn.redhat.com	Vendor Advisory
RHSA-2012:1028	REDHAT	rhn.redhat.com
JBoss CVE-2012-1167 Security Bypass Vulnerability	BID	www.securityfocus.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Vendor Advisory
Security Advisory SA50549 - Red Hat update for JBoss Enterprise Portal Platform - Secunia	SECUNIA	secunia.com	Vendor Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Vendor Advisory
JBoss 'ignoreBaseDecision' Property May Let Remote Authenticated Users Bypass Access Controls - SecurityTracker	SECTRACK	securitytracker.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Vendor Advisory
RHSA-2012:1014	REDHAT	rhn.redhat.com	Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.