CVE-2012-4549

The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.

Published: Jan 5, 2013
Updated: Apr 13, 2023
CVE: CVE-2012-4549
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
redhat / jboss_enterprise_application_platform	5.1.2	5.1.2.x
redhat / jboss_enterprise_application_platform	4.3.0	4.3.0.x
redhat / jboss_enterprise_application_platform	5.2.2	5.2.2.x
redhat / jboss_enterprise_application_platform	5.1.1	5.1.1.x
redhat / jboss_enterprise_application_platform	5.0.1	5.0.1.x
redhat / jboss_enterprise_application_platform	5.1.0	5.1.0.x
redhat / jboss_enterprise_application_platform	5.2.0	5.2.0.x
redhat / jboss_enterprise_application_platform	5.2.1	5.2.1.x
redhat / jboss_enterprise_application_platform	4.2.0	4.2.0.x
redhat / jboss_enterprise_application_platform	-	6.0.0.x
redhat / jboss_enterprise_application_platform	5.0.0	5.0.0.x

Vulnerability Database

289,599

CVE-2012-4549