CVE-2012-3428
Summary
| CVE | CVE-2012-3428 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2012-12-20 12:02:00 UTC |
|---|
| Updated | 2013-01-08 05:04:00 UTC |
|---|
| Description | The IronJacamar container before 1.0.12.Final for JBoss Application Server, when allow-multiple-users is enabled in conjunction with a security domain, does not use the credentials supplied in a getConnection function call, which allows remote attackers to obtain access to an arbitrary datasource connection in opportunistic circumstances via an invalid connection attempt. |
|---|
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|
| Application |
Jboss |
Ironjacamar |
All |
All |
All |
All |
References
| Reference | Source | Link | Tags |
|---|
| Red Hat Customer Portal |
REDHAT |
rhn.redhat.com |
|
| Security Advisory SA51607 - Red Hat update for JBoss Enterprise Application Platform - Secunia |
SECUNIA |
secunia.com |
|
| Red Hat Customer Portal |
REDHAT |
rhn.redhat.com |
|
| Login server redirect |
MISC |
issues.jboss.org |
|
| [#JBJCA-864] allow-multiple-users doesn't work with security domains - JBoss Issue Tracker |
CONFIRM |
issues.jboss.org |
Vendor Advisory |
| Release Notes - IronJacamar - Version 1.0.12.Final - HTML format - JBoss Issue Tracker |
CONFIRM |
issues.jboss.org |
|
| 843358 – (CVE-2012-3428) CVE-2012-3428 JBoss: Datasource connection manager returns valid connection for wrong credentials when using security-domains |
CONFIRM |
bugzilla.redhat.com |
|
| Red Hat Customer Portal |
REDHAT |
rhn.redhat.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 996543 Java (Maven) Security Update for org.jboss.ironjacamar:ironjacamar-jdbc (GHSA-ppg2-ww3w-hq84)
