Auth bypass in Redhat Jboss_enterprise_application_platform

CVE-2011-4085

The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST metho…

Vulnerability class: Broken Authentication

EPSS: 0.007 (72.9th percentile) — read the EPSS interpretation.

Affected products

Redhat Jboss_enterprise_application_platform — versions 4.2.0, 4.3.0, 5.0.0
Redhat Jboss_enterprise_brms_platform
Redhat Jboss_enterprise_portal_platform
Redhat Jboss_enterprise_soa_platform — versions 4.2.0, 4.3.0, 5.0.0
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

RHSA-2012:1028 (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
47866 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
RHSA-2011:1805 (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
RHSA-2011:1456 (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
RHSA-2012:0091 (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
RHSA-2011:1822 (x_refsource_REDHAT, vendor-advisory)
RHSA-2011:1799 (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
secalert@redhat.com (x_refsource_MISC)
RHSA-2011:1798 (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
RHSA-2011:1800 (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)