CVE Database

CVE-2011-4085

Impact: Low
Public: 2011-11-16
Bugzilla: 750422: CVE-2011-4085 Invoker servlets authentication bypass (HTTP verb tampering)

Details

The MITRE CVE dictionary describes this issue as:

The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression.

Find out more about CVE-2011-4085 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 2.6
Base Metrics: AV:N/AC:H/Au:N/C:N/I:N/A:P
Access Vector: Network
Access Complexity: High
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
JBoss Enterprise BRMS Platform 5.3 RHSA-2012:1028 June 22, 2012
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jbossas) RHSA-2011:1800 December 08, 2011
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jbossas) RHSA-2011:1799 December 08, 2011
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jbossas) RHSA-2011:1798 December 08, 2011
Red Hat JBoss Enterprise Application Platform 5.1 RHSA-2011:1805 December 08, 2011
Red Hat JBoss Portal 4.3 RHSA-2012:0091 February 02, 2012
Red Hat JBoss Portal 5 RHSA-2011:1822 December 14, 2011
Red Hat JBoss SOA Platform 5.1 RHSA-2011:1456 November 16, 2011

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.