You are here

CVE-2013-4128

Vincent (CVE) Danen's picture
Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by remote-naming, which allows remote attackers to hijack sessions by using a remoting client.

Details Source

Mitre

Public Date

2013-07-11 00:00:00

Impact

Important

Bugzilla

CVE-2013-4128 JBoss remote-naming: Session fixation due improper connection caching

Bugzilla ID

984 795

CVSS Status

verified

Base Score

6.40

Base Metrics

AV:N/AC:L/Au:N/C:P/I:P/A:N

Acknowledgements

This issue was discovered by Wolf-Dieter Fink of the Red Hat GSS Team.

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2013:1151 2013-08-12
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2013:1151 2013-08-12
Red Hat JBoss Portal Platform 6.1 RHSA-2013:1437 2013-10-16
Red Hat JBoss Enterprise Application Platform 6.1 RHSA-2013:1152 2013-08-12

CWE

CWE-384

Affected Packages State

Platform Package State
Red Hat Jboss Data Grid 6 remote-naming Not affected