{"api_version":"1","generated_at":"2026-04-22T21:37:06+00:00","cve":"CVE-2012-3369","urls":{"html":"https://cve.report/CVE-2012-3369","api":"https://cve.report/api/cve/CVE-2012-3369.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2012-3369","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2012-3369"},"summary":{"title":"CVE-2012-3369","description":"The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2013-02-05 23:55:00","updated_at":"2017-08-29 01:31:00"},"problem_types":["CWE-264"],"metrics":[],"references":[{"url":"http://rhn.redhat.com/errata/RHSA-2013-0533.html","name":"RHSA-2013:0533","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/81512","name":"jboss-eap-session-hijacking(81512)","refsource":"XF","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://securitytracker.com/id?1028042","name":"1028042","refsource":"SECTRACK","tags":[],"title":"JBoss Multiple Bugs Let Remote Users Execute Arbitrary Code, Hijack User Sessions or Credentials, and Gain Elevated Privileges - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/57547","name":"57547","refsource":"BID","tags":[],"title":"JBoss Enterprise Application Platform CVE-2012-3369 Security Bypass Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0194.html","name":"RHSA-2013:0194","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0193.html","name":"RHSA-2013:0193","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0198.html","name":"RHSA-2013:0198","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0196.html","name":"RHSA-2013:0196","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=836451","name":"https://bugzilla.redhat.com/show_bug.cgi?id=836451","refsource":"MISC","tags":[],"title":"836451 – (CVE-2012-3369) CVE-2012-3369 JBoss: CallerIdentityLoginModule retaining password from previous call if a null password is provided","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0191.html","name":"RHSA-2013:0191","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0192.html","name":"RHSA-2013:0192","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0221.html","name":"RHSA-2013:0221","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0195.html","name":"RHSA-2013:0195","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://secunia.com/advisories/51984","name":"51984","refsource":"SECUNIA","tags":["Vendor Advisory"],"title":"Security Advisory SA51984 - Red Hat update for JBoss Enterprise Application Platform and JBoss Enterprise Web Platform - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/52054","name":"52054","refsource":"SECUNIA","tags":["Vendor Advisory"],"title":"Security Advisory SA52054 - Red Hat update for JBoss Enterprise BRMS Platform - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0197.html","name":"RHSA-2013:0197","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2012-3369","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3369","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2012","cve_id":"3369","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_application_platform","cpe6":"5.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"3369","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_application_platform","cpe6":"5.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"3369","vulnerable":"1","versionEndIncluding":"5.3.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_brms_platform","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"3369","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_web_platform","cpe6":"5.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"3369","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_web_platform","cpe6":"5.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2012-3369","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_affected":"=","version_value":"n/a"}]}}]}}]}},"references":{"reference_data":[{"url":"http://rhn.redhat.com/errata/RHSA-2013-0191.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0191.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0192.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0192.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0193.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0193.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0194.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0194.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0195.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0195.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0196.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0196.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0197.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0197.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0198.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0198.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0221.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0221.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0533.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0533.html"},{"url":"http://secunia.com/advisories/51984","refsource":"MISC","name":"http://secunia.com/advisories/51984"},{"url":"http://secunia.com/advisories/52054","refsource":"MISC","name":"http://secunia.com/advisories/52054"},{"url":"http://securitytracker.com/id?1028042","refsource":"MISC","name":"http://securitytracker.com/id?1028042"},{"url":"http://www.securityfocus.com/bid/57547","refsource":"MISC","name":"http://www.securityfocus.com/bid/57547"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/81512","refsource":"MISC","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/81512"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=836451","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=836451"}]}},"nvd":{"publishedDate":"2013-02-05 23:55:00","lastModifiedDate":"2017-08-29 01:31:00","problem_types":["CWE-264"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":4.9,"impactScore":4.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*","versionEndIncluding":"5.3.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2012","CveId":"3369","Ordinal":"56116","Title":"CVE-2012-3369","CVE":"CVE-2012-3369","Year":"2012"},"notes":[{"CveYear":"2012","CveId":"3369","Ordinal":"1","NoteData":"The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used.","Type":"Description","Title":null},{"CveYear":"2012","CveId":"3369","Ordinal":"2","NoteData":"2013-02-05","Type":"Other","Title":"Published"},{"CveYear":"2012","CveId":"3369","Ordinal":"3","NoteData":"2017-08-28","Type":"Other","Title":"Modified"}]}}}