Vulnerability Details : CVE-2012-3370
The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users.
Products affected by CVE-2012-3370
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-3370
0.95%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-3370
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST |
CWE ids for CVE-2012-3370
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-3370
-
http://www.securityfocus.com/bid/57550
JBoss Enterprise Application Platform CVE-2012-3370 Security Bypass Vulnerability
-
http://rhn.redhat.com/errata/RHSA-2013-0194.html
RHSA-2013:0194 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0196.html
RHSA-2013:0196 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0197.html
Red Hat Customer PortalVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0191.html
RHSA-2013:0191 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0193.html
Red Hat Customer PortalVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0195.html
RHSA-2013:0195 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://securitytracker.com/id?1028042
JBoss Multiple Bugs Let Remote Users Execute Arbitrary Code, Hijack User Sessions or Credentials, and Gain Elevated Privileges - SecurityTracker
-
http://rhn.redhat.com/errata/RHSA-2013-0533.html
RHSA-2013:0533 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2013-0192.html
RHSA-2013:0192 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0221.html
RHSA-2013:0221 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0198.html
RHSA-2013:0198 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=836456
836456 – (CVE-2012-3370) CVE-2012-3370 JBoss: SecurityAssociation.getCredential() will return the previous credential if no security context is provided
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/81513
JBoss Enterprise Application Platform SecurityAssociation.getCredential() information disclosure CVE-2012-3370 Vulnerability Report
Jump to