CVE-2014-3464
Summary
| CVE | CVE-2014-3464 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-08-19 18:55:00 UTC |
| Updated | 2017-08-29 01:34:00 UTC |
| Description | The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133. |
Risk And Classification
Problem Types: CWE-264
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Redhat | Jboss Enterprise Application Platform | 6.2.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 6.3.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 6.2.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 6.3.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | Vendor Advisory |
| Bug 1102317 – CVE-2014-3464 JBoss WS: Incomplete fix for CVE-2013-2133 | CONFIRM | bugzilla.redhat.com | |
| IBM X-Force Exchange | XF | exchange.xforce.ibmcloud.com | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | Vendor Advisory |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 241030 Red Hat Update for JBoss Enterprise Application Platform 6.3.0 (RHSA-2014:1019)