Vulnerability Description
The popSubjectContext method in the SecurityAssociation class in JBoss Enterprise Java Beans (EJB) 3.0 RC3 maintains the threadPrincipal and threadCredential values from a previous client's authentication after termination of a client session, which allows remote attackers to gain the roles of an arbitrary previous client who had the same JBoss server thread.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jboss | Enterprise Java Beans | 3.0_rc3 |
References
- http://jira.jboss.com/jira/browse/EJBTHREE-384Patch
- http://www.vupen.com/english/advisories/2006/0374
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24384
- http://jira.jboss.com/jira/browse/EJBTHREE-384Patch
- http://www.vupen.com/english/advisories/2006/0374
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24384
FAQ
What is CVE-2005-4709?
CVE-2005-4709 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The popSubjectContext method in the SecurityAssociation class in JBoss Enterprise Java Beans (EJB) 3.0 RC3 maintains the threadPrincipal and threadCredential values from a previous client's authentica...
How severe is CVE-2005-4709?
CVE-2005-4709 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2005-4709?
Check the references section above for vendor advisories and patch information. Affected products include: Jboss Enterprise Java Beans.