{"api_version":"1","generated_at":"2026-04-22T21:37:32+00:00","cve":"CVE-2012-3370","urls":{"html":"https://cve.report/CVE-2012-3370","api":"https://cve.report/api/cve/CVE-2012-3370.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2012-3370","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2012-3370"},"summary":{"title":"CVE-2012-3370","description":"The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2013-02-05 23:55:00","updated_at":"2017-08-29 01:31:00"},"problem_types":["CWE-264"],"metrics":[],"references":[{"url":"http://rhn.redhat.com/errata/RHSA-2013-0533.html","name":"RHSA-2013:0533","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://securitytracker.com/id?1028042","name":"1028042","refsource":"SECTRACK","tags":[],"title":"JBoss Multiple Bugs Let Remote Users Execute Arbitrary Code, Hijack User Sessions or Credentials, and Gain Elevated Privileges - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0194.html","name":"RHSA-2013:0194","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0193.html","name":"RHSA-2013:0193","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0198.html","name":"RHSA-2013:0198","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=836456","name":"https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=836456","refsource":"MISC","tags":[],"title":"836456 – (CVE-2012-3370) CVE-2012-3370 JBoss: SecurityAssociation.getCredential() will return the previous credential if no security context is provided","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0196.html","name":"RHSA-2013:0196","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0191.html","name":"RHSA-2013:0191","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0192.html","name":"RHSA-2013:0192","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0221.html","name":"RHSA-2013:0221","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0195.html","name":"RHSA-2013:0195","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.osvdb.org/89581","name":"89581","refsource":"OSVDB","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"0"},{"url":"http://secunia.com/advisories/51984","name":"51984","refsource":"SECUNIA","tags":["Vendor Advisory"],"title":"Security Advisory SA51984 - Red Hat update for JBoss Enterprise Application Platform and JBoss Enterprise Web Platform - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/52054","name":"52054","refsource":"SECUNIA","tags":["Vendor Advisory"],"title":"Security Advisory SA52054 - Red Hat update for JBoss Enterprise BRMS Platform - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0197.html","name":"RHSA-2013:0197","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/81513","name":"jboss-eap-getcredential-info-disc(81513)","refsource":"XF","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/57550","name":"57550","refsource":"BID","tags":[],"title":"JBoss Enterprise Application Platform CVE-2012-3370 Security Bypass Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2012-3370","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-3370","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2012","cve_id":"3370","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_application_platform","cpe6":"5.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"3370","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_application_platform","cpe6":"5.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"3370","vulnerable":"1","versionEndIncluding":"5.3.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_brms_platform","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"3370","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_web_platform","cpe6":"5.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2012","cve_id":"3370","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_web_platform","cpe6":"5.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2012-3370","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_affected":"=","version_value":"n/a"}]}}]}}]}},"references":{"reference_data":[{"url":"http://rhn.redhat.com/errata/RHSA-2013-0191.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0191.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0192.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0192.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0193.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0193.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0194.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0194.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0195.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0195.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0196.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0196.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0197.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0197.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0198.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0198.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0221.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0221.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0533.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2013-0533.html"},{"url":"http://secunia.com/advisories/51984","refsource":"MISC","name":"http://secunia.com/advisories/51984"},{"url":"http://secunia.com/advisories/52054","refsource":"MISC","name":"http://secunia.com/advisories/52054"},{"url":"http://securitytracker.com/id?1028042","refsource":"MISC","name":"http://securitytracker.com/id?1028042"},{"url":"http://www.osvdb.org/89581","refsource":"MISC","name":"http://www.osvdb.org/89581"},{"url":"http://www.securityfocus.com/bid/57550","refsource":"MISC","name":"http://www.securityfocus.com/bid/57550"},{"url":"https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=836456","refsource":"MISC","name":"https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=836456"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/81513","refsource":"MISC","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/81513"}]}},"nvd":{"publishedDate":"2013-02-05 23:55:00","lastModifiedDate":"2017-08-29 01:31:00","problem_types":["CWE-264"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*","versionEndIncluding":"5.3.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2012","CveId":"3370","Ordinal":"56117","Title":"CVE-2012-3370","CVE":"CVE-2012-3370","Year":"2012"},"notes":[{"CveYear":"2012","CveId":"3370","Ordinal":"1","NoteData":"The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users.","Type":"Description","Title":null},{"CveYear":"2012","CveId":"3370","Ordinal":"2","NoteData":"2013-02-05","Type":"Other","Title":"Published"},{"CveYear":"2012","CveId":"3370","Ordinal":"3","NoteData":"2017-08-28","Type":"Other","Title":"Modified"}]}}}