Description

In the default configuration, after JBoss is installed, the JMX console is available at http://localhost:8080/jmx-console. The JMX console can be used to display the JNDI tree, dump the list of threads, redeploy an application or even shutdown the application server. By default, the console is not secured and can be used by remote attackers. Check References for detailed information.

Remediation

Restrict access to JMX Management Console.

References

Bridging the Gap between the Enterprise and You - or - Who's the JBoss now?

Related Vulnerabilities

WordPress Plugin W4 Post List Multiple Vulnerabilities (2.4.5)

WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more Information Disclosure (1.8.11)

WordPress 4.4.x Multiple Vulnerabilities (4.4 - 4.4.28)

JVM version leakage

Squid Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2019-12528)

Severity

High

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration