CVE-2014-3464

{"id": "CVE-2014-3464", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-08-19T18:55:01.827", "references": [{"url": "http://rhn.redhat.com/errata/RHSA-2014-1019.html", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2014-1020.html", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2014-1021.html", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1102317", "source": "secalert@redhat.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95409", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133."}, {"lang": "es", "value": "La implementaci\u00f3n del manejador de la invocaci\u00f3n EJB en Red Hat JBossWS, utilizada en JBoss Enterprise Application Platform (EAP) 6.2.0 y 6.3.0, no aplica debidamente las restricciones de nivel de m\u00e9todo para mensajes salientes, lo que permite a usuarios remotos autenticados acceder a manejadores JAX-WS de otra manera restringidos mediante el aprovechamiento de permisos para la clase EJB. NOTA: esta vulnerabilidad existe debido a una soluci\u00f3n incompleta para el CVE-2013-2133."}], "lastModified": "2017-08-29T01:34:45.810", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82B6C055-25E2-4C78-ACA7-D722848BDBC4"}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A69B5EA1-06B9-4FAC-A4D7-F1C444D00880"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}