CPE Details
Red Hat JBoss Enterprise Application Platform (EAP) 7.2.6
7.2.6
2020-02-03
13h13 +00:00
13h13 +00:00
2020-02-03
13h13 +00:00
13h13 +00:00
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
CPE Name: cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.6:-:*:*:*:*:*:*
Informations
Vendor
redhatProduct
jboss_enterprise_application_platformVersion
7.2.6Update
-Related CVE
| CVE ID | Publié | Description | Score | Gravité |
|---|---|---|---|---|
| This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled. | 5.3 |
Moyen |
||
| A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information. | 4.3 |
Moyen |
2025©
tesweb SA
