CVE-2011-4605

The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/49658	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2012-1028.html
http://rhn.redhat.com/errata/RHSA-2012-1025.html
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=766469
http://rhn.redhat.com/errata/RHSA-2012-1022.html
http://rhn.redhat.com/errata/RHSA-2012-1023.html
http://secunia.com/advisories/49656	Vendor Advisory
http://secunia.com/advisories/50549	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2012-1027.html
http://secunia.com/advisories/50084	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2012-1125.html
http://rhn.redhat.com/errata/RHSA-2012-1295.html
http://rhn.redhat.com/errata/RHSA-2012-1024.html
http://rhn.redhat.com/errata/RHSA-2012-1232.html
http://rhn.redhat.com/errata/RHSA-2012-1109.html
http://www.securitytracker.com/id?1027501
http://rhn.redhat.com/errata/RHSA-2012-1026.html
http://www.securityfocus.com/bid/54644

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp10::::::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.2:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.1:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp07::::::
	cpe:2.3:a:redhat:jboss_enterprise_brms_platform::::::::
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp05::::::
	cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp05::::::

Information

Published : 2012-11-23 12:55

Updated : 2023-02-12 16:22

NVD link : CVE-2011-4605

Mitre link : CVE-2011-4605

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Products Affected

redhat

jboss_enterprise_web_platform
jboss_enterprise_application_platform
jboss_enterprise_soa_platform
jboss_enterprise_brms_platform
jboss_enterprise_portal_platform

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://secunia.com/advisories/49658", "name": "49658", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1028.html", "name": "RHSA-2012:1028", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1025.html", "name": "RHSA-2012:1025", "tags": [], "refsource": "REDHAT"}, {"url": "http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=766469", "name": "http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=766469", "tags": [], "refsource": "MISC"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1022.html", "name": "RHSA-2012:1022", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1023.html", "name": "RHSA-2012:1023", "tags": [], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/49656", "name": "49656", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/50549", "name": "50549", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1027.html", "name": "RHSA-2012:1027", "tags": [], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/50084", "name": "50084", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1125.html", "name": "RHSA-2012:1125", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1295.html", "name": "RHSA-2012:1295", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1024.html", "name": "RHSA-2012:1024", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html", "name": "RHSA-2012:1232", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1109.html", "name": "RHSA-2012:1109", "tags": [], "refsource": "REDHAT"}, {"url": "http://www.securitytracker.com/id?1027501", "name": "1027501", "tags": [], "refsource": "SECTRACK"}, {"url": "http://rhn.redhat.com/errata/RHSA-2012-1026.html", "name": "RHSA-2012:1026", "tags": [], "refsource": "REDHAT"}, {"url": "http://www.securityfocus.com/bid/54644", "name": "54644", "tags": [], "refsource": "BID"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-264"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2011-4605", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "acInsufInfo": false, "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2012-11-23T20:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp10:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.1.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:4.3.0:cp07:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "5.2.0"}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.2.0:cp05:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp05:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-13T00:22Z"}

7.5 /10