Access Restriction Bypass Affecting org.wildfly:wildfly-ejb3 package, versions [8.0.0.Alpha1,8.1.0.CR1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.19% (57th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGWILDFLY-31349
  • published24 Feb 2015
  • disclosed19 Aug 2014
  • creditUnknown

Introduced: 19 Aug 2014

CVE-2014-3464  (opens in a new tab)
CWE-264  (opens in a new tab)

How to fix?

Upgrade org.wildfly:wildfly-ejb3 to version 8.1.0.CR1 or higher.

Overview

org.wildfly:wildfly-ejb3 is a WildFly Application Server

Affected versions of this package are vulnerable to Access Restriction Bypass. The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133.

References

CVSS Scores

version 3.1