CVE-2014-7849 : The Role Based Access Control (RBAC) implementation in JBoss Enterprise Applicat

The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote authenticated users to add, modify, and undefine otherwise restricted attributes by leveraging the Maintainer role.

Published 2015-02-13 15:59:05

Updated 2025-04-12 10:46:41

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2014-7849

Redhat » Jboss Enterprise Application Platform » Version: 6.2.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.2.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 6.2.2
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.2.2:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 6.2.3
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.2.3:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 6.3.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.3.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 6.2.4
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.2.4:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 6.2.1
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.2.1:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 6.3.1
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.3.1:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 6.3.2
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.3.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-7849

EPSS FAQ

0.39%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 57 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-7849

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2014-7849

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-7849

https://exchange.xforce.ibmcloud.com/vulnerabilities/100890

Red Hat JBoss Enterprise Application Platform Role Based Access Control security bypass CVE-2014-7849 Vulnerability Report
http://rhn.redhat.com/errata/RHSA-2015-0920.html

Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1165170

1165170 – (CVE-2014-7849) CVE-2014-7849 JBoss AS/WildFly Domain Management: Limited RBAC authorization bypass
Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-0215.html

Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1031741

Red Hat JBoss Enterprise Application Platform Bugs Let Remote Users Obtain Potentially Sensitive Information and Remote Authenticated Users Bypass Security Controls - SecurityTracker

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-0217.html

RHSA-2015:0217 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-0218.html

RHSA-2015:0218 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-0216.html

RHSA-2015:0216 - Security Advisory - Red Hat Customer Portal
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2014-7849

Products affected by CVE-2014-7849

Exploit prediction scoring system (EPSS) score for CVE-2014-7849

CVSS scores for CVE-2014-7849

CWE ids for CVE-2014-7849

References for CVE-2014-7849