Main Vulnerability Database SB2014040302

SB2014040302 - Multiple vulnerabilities in JBoss Enterprise Application Platform

Published: April 3, 2014 Updated: August 10, 2020

Security Bulletin ID SB2014040302

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2014-3481)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBoss Enterprise Application Platform (JEAP) before 6.2.4 enables entity expansion, which allows remote attackers to read arbitrary files via unspecified vectors, related to an XML External Entity (XXE) issue.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0093)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2, when using a Java Security Manager (JSM), does not properly apply permissions defined by a policy file, which causes applications to be granted the java.security.AllPermission permission and allows remote attackers to bypass intended access restrictions.

Remediation

Install update from vendor's website.

SB2014040302 - Multiple vulnerabilities in JBoss Enterprise Application Platform

Breakdown by Severity

Description

Remediation

References

Please verify you're human