Description

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2014-1019.html

http://rhn.redhat.com/errata/RHSA-2014-1020.html

http://rhn.redhat.com/errata/RHSA-2014-1021.html

https://bugzilla.redhat.com/show_bug.cgi?id=1102317

https://exchange.xforce.ibmcloud.com/vulnerabilities/95409

Related Vulnerabilities

CVE-2018-1000197 Vulnerability in maven package com.blackducksoftware.integration:blackduck-hub

CVE-2014-0035 Vulnerability in maven package org.apache.cxf:cxf-rt-ws-security

CVE-2019-5786 Vulnerability in npm package puppeteer

CVE-2021-21350 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2022-27202 Vulnerability in maven package org.jenkins-ci.plugins:extended-choice-parameter

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory