CVE-2014-3464

Published: Aug 19, 2014Modified: May 6, 2026

5.5

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Exploitability: 8.0 / Impact: 4.9

Source: NVD

Description

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133.

Affected (2)

Products: Redhat: Jboss Enterprise Application Platform

1 product

Jboss Enterprise Application Platform

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Jboss Enterprise Application Platform	Version 6.2.0
Redhat Jboss Enterprise Application Platform	Version 6.3.0

Related CWEs

References (10)

http://rhn.redhat.com/errata/RHSA-2014-1019.html

Source: secalert@redhat.com

Vendor Advisory

http://rhn.redhat.com/errata/RHSA-2014-1020.html

Source: secalert@redhat.com

Vendor Advisory

http://rhn.redhat.com/errata/RHSA-2014-1021.html

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1102317

Source: secalert@redhat.com

https://exchange.xforce.ibmcloud.com/vulnerabilities/95409

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2014-1019.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://rhn.redhat.com/errata/RHSA-2014-1020.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://rhn.redhat.com/errata/RHSA-2014-1021.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1102317

Source: af854a3a-2127-422b-91ae-364da2661108

https://exchange.xforce.ibmcloud.com/vulnerabilities/95409

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.