{"api_version":"1","generated_at":"2026-04-23T02:57:58+00:00","cve":"CVE-2007-1036","urls":{"html":"https://cve.report/CVE-2007-1036","api":"https://cve.report/api/cve/CVE-2007-1036.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2007-1036","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2007-1036"},"summary":{"title":"CVE-2007-1036","description":"The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.","state":"PUBLISHED","assigner":"mitre","published_at":"2007-02-21 11:28:00","updated_at":"2026-04-23 00:35:47"},"problem_types":["CWE-264","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole","name":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"JBoss.com - Wiki - SecureTheJmxConsole","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/460597/100/0/threaded","name":"http://www.securityfocus.com/archive/1/460597/100/0/threaded","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss","name":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"JBoss.com - Wiki - SecureJBoss","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/460605/100/0/threaded","name":"http://www.securityfocus.com/archive/1/460605/100/0/threaded","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.kb.cert.org/vuls/id/632656","name":"http://www.kb.cert.org/vuls/id/632656","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["US Government Resource"],"title":"US-CERT Vulnerability Note VU#632656","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/32596","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/32596","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id?1017677","name":"http://www.securitytracker.com/id?1017677","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"JBoss Default Configuration Lets Remote Users Gain Administrative Access - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/460695/100/0/threaded","name":"http://www.securityfocus.com/archive/1/460695/100/0/threaded","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://osvdb.org/33744","name":"http://osvdb.org/33744","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2007-1036","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2007-1036","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2007","cve_id":"1036","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jboss","cpe5":"jboss_application_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[{"cvename":"CVE-2007-1036","organization":"Red Hat","lastmodified":"2007-05-18","contributor":"Mark J Cox","statementText":"The JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss AS installer gives users the ability to password protect the console manager. If the user did not use the installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed manually: http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss","cve_year":"2007","cve_id":"1036","crc32":"aa8cb084"}],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-07T12:43:22.417Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss"},{"name":"1017677","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://www.securitytracker.com/id?1017677"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole"},{"name":"jboss-admin-unauth-access(32596)","tags":["vdb-entry","x_refsource_XF","x_transferred"],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/32596"},{"name":"VU#632656","tags":["third-party-advisory","x_refsource_CERT-VN","x_transferred"],"url":"http://www.kb.cert.org/vuls/id/632656"},{"name":"20070220 Jboss vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"http://www.securityfocus.com/archive/1/460597/100/0/threaded"},{"name":"33744","tags":["vdb-entry","x_refsource_OSVDB","x_transferred"],"url":"http://osvdb.org/33744"},{"name":"20070220 Re: Jboss vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"http://www.securityfocus.com/archive/1/460605/100/0/threaded"},{"name":"20070220 Re: Jboss vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"http://www.securityfocus.com/archive/1/460695/100/0/threaded"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2007-02-20T00:00:00.000Z","descriptions":[{"lang":"en","value":"The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2018-10-16T14:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_MISC"],"url":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss"},{"name":"1017677","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://www.securitytracker.com/id?1017677"},{"tags":["x_refsource_MISC"],"url":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole"},{"name":"jboss-admin-unauth-access(32596)","tags":["vdb-entry","x_refsource_XF"],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/32596"},{"name":"VU#632656","tags":["third-party-advisory","x_refsource_CERT-VN"],"url":"http://www.kb.cert.org/vuls/id/632656"},{"name":"20070220 Jboss vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"http://www.securityfocus.com/archive/1/460597/100/0/threaded"},{"name":"33744","tags":["vdb-entry","x_refsource_OSVDB"],"url":"http://osvdb.org/33744"},{"name":"20070220 Re: Jboss vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"http://www.securityfocus.com/archive/1/460605/100/0/threaded"},{"name":"20070220 Re: Jboss vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"http://www.securityfocus.com/archive/1/460695/100/0/threaded"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2007-1036","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss","refsource":"MISC","url":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss"},{"name":"1017677","refsource":"SECTRACK","url":"http://www.securitytracker.com/id?1017677"},{"name":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole","refsource":"MISC","url":"http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole"},{"name":"jboss-admin-unauth-access(32596)","refsource":"XF","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/32596"},{"name":"VU#632656","refsource":"CERT-VN","url":"http://www.kb.cert.org/vuls/id/632656"},{"name":"20070220 Jboss vulnerability","refsource":"BUGTRAQ","url":"http://www.securityfocus.com/archive/1/460597/100/0/threaded"},{"name":"33744","refsource":"OSVDB","url":"http://osvdb.org/33744"},{"name":"20070220 Re: Jboss vulnerability","refsource":"BUGTRAQ","url":"http://www.securityfocus.com/archive/1/460605/100/0/threaded"},{"name":"20070220 Re: Jboss vulnerability","refsource":"BUGTRAQ","url":"http://www.securityfocus.com/archive/1/460695/100/0/threaded"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2007-1036","datePublished":"2007-02-21T11:00:00.000Z","dateReserved":"2007-02-20T00:00:00.000Z","dateUpdated":"2024-08-07T12:43:22.417Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2007-02-21 11:28:00","lastModifiedDate":"2026-04-23 00:35:47","problem_types":["CWE-264","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":true,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:jboss:jboss_application_server:*:*:*:*:*:*:*:*","matchCriteriaId":"B9B61ABC-C01B-401A-B83C-5B6D2B97AC98"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2007","CveId":"1036","Ordinal":"1","Title":"CVE-2007-1036","CVE":"CVE-2007-1036","Year":"2007"},"notes":[{"CveYear":"2007","CveId":"1036","Ordinal":"1","NoteData":"The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.","Type":"Description","Title":"CVE-2007-1036"},{"CveYear":"2007","CveId":"1036","Ordinal":"2","NoteData":"2007-02-21","Type":"Other","Title":"Published"},{"CveYear":"2007","CveId":"1036","Ordinal":"3","NoteData":"2018-10-16","Type":"Other","Title":"Modified"}]}}}