CVE-2009-0027 : The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBo

The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request.

Published 2009-03-09 21:30:00

Updated 2025-04-09 00:30:58

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2009-0027

Redhat » Jboss Enterprise Application Platform » Version: 4.3.0 Update Cp03
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp03:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.3.0 Update Cp04
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp04:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp02
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp02:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp01
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp01:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.3.0 Update Cp01
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp01:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.3.0 Update Cp02
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp02:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp03
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp03:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp04
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp04:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp05
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp05:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.2.0 Update Cp06
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp06:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2009-0027

EPSS FAQ

0.71%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 70 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2009-0027

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2009-0027

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2009-0027

Jump to

Vulnerability Details : CVE-2009-0027

Products affected by CVE-2009-0027

Exploit prediction scoring system (EPSS) score for CVE-2009-0027

CVSS scores for CVE-2009-0027

CWE ids for CVE-2009-0027

References for CVE-2009-0027