Description

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

Remediation

References

CVE-2017-12149

Related Vulnerabilities

WordPress Plugin SoundCloud Is Gold Cross-Site Scripting (2.3.1)

MySQL CVE-2020-14844 Vulnerability (CVE-2020-14844)

Drupal Core 4.7.x Cross-Site Request Forgery (4.7.0 - 4.7.3)

WordPress Plugin Hero Maps Pro Cross-Site Scripting (2.1.0)

WordPress Plugin Link Library Cross-Site Scripting (5.9.5.5)

Severity

Critical

Classification

CVE-2017-12149 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities