CVE-2009-0027

Sažetak

The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request.

Reference

http://rhn.redhat.com/errata/RHSA-2009-0346.html
http://rhn.redhat.com/errata/RHSA-2009-0347.html
http://rhn.redhat.com/errata/RHSA-2009-0348.html
http://rhn.redhat.com/errata/RHSA-2009-0349.html
http://secunia.com/advisories/34112
http://www.securityfocus.com/bid/34023
http://www.securitytracker.com/id?1021817
https://bugzilla.redhat.com/show_bug.cgi?id=479668
https://jira.jboss.org/jira/browse/JBPAPP-1548

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

21-03-2009 - 05:53

Objavljeno

09-03-2009 - 21:30