CVE-2007-1036

{"id": "CVE-2007-1036", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}]}, "published": "2007-02-21T11:28:00.000", "references": [{"url": "http://osvdb.org/33744", "source": "cve@mitre.org"}, {"url": "http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss", "source": "cve@mitre.org"}, {"url": "http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole", "source": "cve@mitre.org"}, {"url": "http://www.kb.cert.org/vuls/id/632656", "tags": ["US Government Resource"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/460597/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/460605/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/460695/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securitytracker.com/id?1017677", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/32596", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests."}, {"lang": "es", "value": "La configuraci\u00f3n por defecto de JBoss no restringe el acceso a (1) la consola y (2) interfaces de gesti\u00f3n web, lo cual permite a atacantes remotos evitar la autenticaci\u00f3n y obtener acceso administrativo mediante peticiones directas."}], "lastModified": "2018-10-16T16:36:27.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jboss:jboss_application_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9B61ABC-C01B-401A-B83C-5B6D2B97AC98"}], "operator": "OR"}]}], "vendorComments": [{"comment": "The JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide and release notes. By default, the JBoss AS installer gives users the ability to password protect the console manager. If the user did not use the installer, the raw JBoss services will be in a completely unconfigured state and these steps should be performed manually:\n\nhttp://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss\n", "lastModified": "2007-05-18T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "cve@mitre.org"}