Vulnerability Description
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Jboss Enterprise Application Platform | 6.3.0 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2014-1019.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1020.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1021.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2015-0720.htmlVendor Advisory
- http://www.securityfocus.com/bid/69094
- https://bugzilla.redhat.com/show_bug.cgi?id=1103815
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95170
- http://rhn.redhat.com/errata/RHSA-2014-1019.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1020.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2014-1021.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2015-0720.htmlVendor Advisory
- http://www.securityfocus.com/bid/69094
- https://bugzilla.redhat.com/show_bug.cgi?id=1103815
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95170
FAQ
What is CVE-2014-3472?
CVE-2014-3472 is a vulnerability with a CVSS score of 4.9 (MEDIUM). The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, w...
How severe is CVE-2014-3472?
CVE-2014-3472 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3472?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Jboss Enterprise Application Platform.