CVE-2010-2493

Table of Contents

Impact:
Low
Public Date:
2010-07-14
Bugzilla:
614774: CVE-2010-2493 JBoss SOA Platform web application authentication bypass

The MITRE CVE dictionary describes this issue as:

The default configuration of the deployment descriptor (aka web.xml) in picketlink-sts.war in (1) the security_saml quickstart, (2) the webservice_proxy_security quickstart, (3) the web-console application, (4) the http-invoker application, (5) the gpd-deployer application, (6) the jbpm-console application, (7) the contract application, and (8) the uddi-console application in JBoss Enterprise SOA Platform before 5.0.2 contains GET and POST http-method elements, which allows remote attackers to bypass intended access restrictions via a crafted HTTP request.

Find out more about CVE-2010-2493 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

These issues were fixed by the 5.0.2 release of the JBoss Enterprise SOA Platform, available for download from the Red Hat Customer Portal:
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=distributions&version=5.0.2+GA

The JBoss Enterprise SOA Platform 5.0.2 Release Notes are available from http://www.redhat.com/docs/en-US/JBoss_SOA_Platform/5.0.2/html/5.0.2_Release_Notes/index.html

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 5
Base Metrics AV:N/AC:L/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Last Modified

CVE description copyright © 2017, The MITRE Corporation