CVE-2010-0738

The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://marc.info/?l=bugtraq&m=132129312609324&w=2	Exploit Mailing List
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=35	Third Party Advisory
http://secunia.com/advisories/39563	Broken Link Vendor Advisory
http://securityreason.com/securityalert/8408	Broken Link
http://securitytracker.com/id?1023918	Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/39710	Broken Link Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2010/0992	Broken Link Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=574105	Issue Tracking
https://exchange.xforce.ibmcloud.com/vulnerabilities/58147	Third Party Advisory VDB Entry
https://rhn.redhat.com/errata/RHSA-2010-0376.html	Broken Link
https://rhn.redhat.com/errata/RHSA-2010-0377.html	Broken Link
https://rhn.redhat.com/errata/RHSA-2010-0378.html	Broken Link
https://rhn.redhat.com/errata/RHSA-2010-0379.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:-::::::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:-::::::

History

No history.

Information

Published : 2010-04-28 22:30

Updated : 2024-06-28 17:29

NVD link : CVE-2010-0738

Mitre link : CVE-2010-0738

CVE.ORG link : CVE-2010-0738

JSON object : View

Products Affected

redhat

jboss_enterprise_application_platform

CWE

NVD-CWE-noinfo

{"id": "CVE-2010-0738", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2010-04-28T22:30:00.447", "references": [{"url": "http://marc.info/?l=bugtraq&m=132129312609324&w=2", "tags": ["Exploit", "Mailing List"], "source": "secalert@redhat.com"}, {"url": "http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=35", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/39563", "tags": ["Broken Link", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://securityreason.com/securityalert/8408", "tags": ["Broken Link"], "source": "secalert@redhat.com"}, {"url": "http://securitytracker.com/id?1023918", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "secalert@redhat.com"}, {"url": "http://www.securityfocus.com/bid/39710", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "secalert@redhat.com"}, {"url": "http://www.vupen.com/english/advisories/2010/0992", "tags": ["Broken Link", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=574105", "tags": ["Issue Tracking"], "source": "secalert@redhat.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/58147", "tags": ["Third Party Advisory", "VDB Entry"], "source": "secalert@redhat.com"}, {"url": "https://rhn.redhat.com/errata/RHSA-2010-0376.html", "tags": ["Broken Link"], "source": "secalert@redhat.com"}, {"url": "https://rhn.redhat.com/errata/RHSA-2010-0377.html", "tags": ["Broken Link"], "source": "secalert@redhat.com"}, {"url": "https://rhn.redhat.com/errata/RHSA-2010-0378.html", "tags": ["Broken Link"], "source": "secalert@redhat.com"}, {"url": "https://rhn.redhat.com/errata/RHSA-2010-0379.html", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method."}, {"lang": "es", "value": "La aplicaci\u00f3n web JMX-Console en JBossAs en Red Hat JBoss Enterprise Application Platform (conocido como JBoss EAP o JBEAP) v4.2 anterior v4.2.0.CP09 y v4.3 anterior v4.3.0.CP08 realiza un control de acceso s\u00f3lo para los m\u00e9todos GET y POST, lo que permite a a atacantes remotos enviar peticiones en el manejador GET de la aplicaci\u00f3n que usan un m\u00e9todo diferente. \r\n"}], "lastModified": "2024-06-28T17:29:24.133", "cisaActionDue": "2022-06-15", "cisaExploitAdd": "2022-05-25", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D3EADF4-5496-4F5F-B0A6-DBF959C4D7B9"}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE2A6BEF-2917-437C-A1D5-EE1601FC0A5F"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Red Hat JBoss Authentication Bypass Vulnerability"}