- Description
- The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.
- Source
- cve@mitre.org
- NVD status
- Modified
CVSS 2.0
- Type
- Primary
- Base score
- 7.5
- Impact score
- 6.4
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:P/A:P
- nvd@nist.gov
- CWE-264
- Hype score
- Not currently trending
- Red HatThe JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss AS installer gives users the ability to password protect the console manager. If the user did not use the installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed manually: http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jboss:jboss_application_server:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B9B61ABC-C01B-401A-B83C-5B6D2B97AC98"
}
],
"operator": "OR"
}
]
}
]