CVE-2011-2908

Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users for requests that perform operations on MBeans and possibly execute arbitrary code via unspecified vectors.

CVSS v2.0 6.0 MEDIUM

6.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:P

Exploitability : 6.8 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2012-1165.html	Vendor Advisory
http://secunia.com/advisories/50549	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2012-1232.html	Vendor Advisory
http://www.securityfocus.com/bid/54915
http://www.osvdb.org/84530
https://bugzilla.redhat.com/show_bug.cgi?id=730176
http://rhn.redhat.com/errata/RHSA-2012-1152.html	Vendor Advisory
http://secunia.com/advisories/50230	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0194.html
http://secunia.com/advisories/51984
http://rhn.redhat.com/errata/RHSA-2013-0195.html
http://rhn.redhat.com/errata/RHSA-2013-0198.html
http://rhn.redhat.com/errata/RHSA-2013-0197.html
http://rhn.redhat.com/errata/RHSA-2013-0196.html
http://rhn.redhat.com/errata/RHSA-2013-0191.html
http://rhn.redhat.com/errata/RHSA-2013-0193.html
http://rhn.redhat.com/errata/RHSA-2013-0192.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/77549

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.1:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_portal_platform::::::::
	cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.1:::::::*

Information

Published : 2012-11-23 12:55

Updated : 2023-02-12 20:32

NVD link : CVE-2011-2908

Mitre link : CVE-2011-2908

JSON object : View

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

Products Affected

redhat

jboss_enterprise_brms_platform
jboss_enterprise_portal_platform
jboss_enterprise_soa_platform

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://rhn.redhat.com/errata/RHSA-2012-1165.html", "name": "RHSA-2012:1165", "tags": ["Vendor Advisory"], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/50549", "name": "50549", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html", "name": "RHSA-2012:1232", "tags": ["Vendor Advisory"], "refsource": "REDHAT"}, {"url": "http://www.securityfocus.com/bid/54915", "name": "54915", "tags": [], "refsource": "BID"}, {"url": "http://www.osvdb.org/84530", "name": "84530", "tags": [], "refsource": "OSVDB"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=730176", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=730176", "tags": [], "refsource": "MISC"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1152.html", "name": "RHSA-2012:1152", "tags": ["Vendor Advisory"], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/50230", "name": "50230", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0194.html", "name": "RHSA-2013:0194", "tags": [], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/51984", "name": "51984", "tags": [], "refsource": "SECUNIA"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0195.html", "name": "RHSA-2013:0195", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0198.html", "name": "RHSA-2013:0198", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0197.html", "name": "RHSA-2013:0197", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0196.html", "name": "RHSA-2013:0196", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0191.html", "name": "RHSA-2013:0191", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0193.html", "name": "RHSA-2013:0193", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0192.html", "name": "RHSA-2013:0192", "tags": [], "refsource": "REDHAT"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/77549", "name": "jboss-jmx-console-csrf(77549)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users for requests that perform operations on MBeans and possibly execute arbitrary code via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-352"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2011-2908", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2012-11-23T20:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "5.2.1"}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-13T04:32Z"}

6.0 /10