Description

mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server, which allows remote attackers to bypass access restrictions and gain access to applications deployed on the root context via unspecified vectors.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2012-1010.html

http://rhn.redhat.com/errata/RHSA-2012-1011.html

http://rhn.redhat.com/errata/RHSA-2012-1012.html

http://rhn.redhat.com/errata/RHSA-2012-1052.html

http://rhn.redhat.com/errata/RHSA-2012-1053.html

http://rhn.redhat.com/errata/RHSA-2012-1166.html

http://secunia.com/advisories/49636

https://bugzilla.redhat.com/show_bug.cgi?id=802200

https://community.jboss.org/message/624018

https://issues.jboss.org/browse/MODCLUSTER-253

Related Vulnerabilities

CVE-2019-16541 Vulnerability in maven package org.jenkins-ci.plugins:jira

CVE-2022-22984 Vulnerability in npm package snyk-docker-plugin

CVE-2022-43402 Vulnerability in maven package org.jenkins-ci.plugins.workflow:workflow-cps

CVE-2023-26476 Vulnerability in maven package org.xwiki.platform:xwiki-platform-livetable-ui

CVE-2021-31412 Vulnerability in maven package com.vaadin:flow-server

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory