Description

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

Remediation

References

CVE-2017-12149

Related Vulnerabilities

PHP Resource Management Errors Vulnerability (CVE-2010-4150)

Oracle Database Server Other Vulnerability (CVE-2001-0943)

WordPress Plugin JupiterX Core Privilege Escalation (2.0.7)

WordPress Plugin DMSGuestbook Multiple Remote Vulnerabilities (1.8.0)

WordPress Plugin WordPress Comments Import & Export CSV Injection (2.0.4)

Severity

Critical

Classification

CVE-2017-12149 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities