Description

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2013-1785.html

http://rhn.redhat.com/errata/RHSA-2013-1784.html

http://rhn.redhat.com/errata/RHSA-2013-1786.html

http://www.securitytracker.com/id/1029431

http://rhn.redhat.com/errata/RHSA-2015-0851.html

http://rhn.redhat.com/errata/RHSA-2015-0850.html

Related Vulnerabilities

CVE-2011-1419 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2019-10291 Vulnerability in maven package org.jenkins-ci.plugins:netsparker-cloud-scan

CVE-2020-16024 Vulnerability in maven package org.webjars.npm:electron

CVE-2011-1419 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2023-36471 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory