CVE-2014-7849
It was discovered that the Role Based Access Control (RBAC) implementation did not sufficiently verify all authorization conditions that are required by the Maintainer role to perform certain administrative actions. An authenticated user with the Maintainer role could use this flaw to add, modify, or undefine a limited set of attributes and their values, which otherwise cannot be written to.
Find out more about CVE-2014-7849 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue did not affect the versions of Red Hat JBoss Enterprise Application Platform before 6.2.0 as they did not include support for role-based access control (RBAC).
CVSS v2 metrics
| Base Score | 4.9 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:S/C:P/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | Single |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2015:0218 | 2015-02-11 |
| Red Hat JBoss Operations Network 3.3 | RHSA-2015:0920 | 2015-04-30 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server | RHSA-2015:0216 | 2015-02-11 |
| Red Hat JBoss Enterprise Application Platform 6.3 | RHSA-2015:0215 | 2015-02-11 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server | RHSA-2015:0217 | 2015-02-11 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Portal Platform 6 | Security | Will not fix |
| Red Hat JBoss EAP 5 | Security | Not affected |
| Red Hat JBoss Data Grid 6 | Security | Will not fix |