The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Redhat
  • Jboss Enterprise Application Platform

Configuration 1 [-]

OR cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp01:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp02:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp03:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp04:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp05:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:cp06:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp01:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp02:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp03:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp04:*:*:*:*:*:*
Package CPE Advisory Released Date
JBEAP 4.2.0 for RHEL 4
glassfish-jsf-0:1.2_10-0jpp.ep1.5.ep5.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
hibernate3-1:3.2.4-1.SP1_CP07.0jpp.ep1.14.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jacorb-0:2.3.0-1jpp.ep1.7.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jakarta-commons-fileupload-1:1.1.1-3jpp.ep1.2.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jakarta-commons-io-0:1.1-0.20051005.2jpp_1rh cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jakarta-commons-logging-jboss-0:1.1-4.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jbossas-0:4.2.0-4.GA_CP06.3.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jboss-cache-0:1.4.1-6.SP11.1.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jboss-jaxr-0:1.2.0-SP2.0jpp.ep1.3.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jboss-remoting-0:2.2.2-3.SP11.0jpp.ep1.1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jboss-seam-0:1.2.1-1.ep1.18.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jbossts-1:4.2.3-1.SP5_CP04.1jpp.ep1.1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jboss-vfs-0:1.0.0-1.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jbossweb-0:2.0.0-6.CP09.0jpp.ep1.1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
jgroups-1:2.4.5-2.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
rh-eap-docs-0:4.2.0-5.GA_CP06.ep1.3.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
tanukiwrapper-0:3.2.1-2jpp.ep1.2.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
ws-commons-policy-0:1.0-2jpp.ep1.7.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
ws-scout0-0:0.7-0.rc2.4.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
xalan-j2-0:2.7.0-2jpp.ep1.5.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 RHSA-2009:0346 2009-03-06T00:00:00Z
JBEAP 4.2.0 for RHEL 5
glassfish-jsf-0:1.2_10-0jpp.ep1.5.ep5.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
hibernate3-1:3.2.4-1.SP1_CP07.0jpp.ep1.14.1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jacorb-0:2.3.0-1jpp.ep1.7.1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jakarta-commons-logging-jboss-0:1.1-4.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jbossas-0:4.2.0-4.GA_CP06.3.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jboss-cache-0:1.4.1-6.SP11.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jboss-jaxr-0:1.2.0-SP2.0jpp.ep1.3.2.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jboss-remoting-0:2.2.2-3.SP11.0jpp.ep1.1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jboss-seam-0:1.2.1-1.ep1.12.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jbossts-1:4.2.3-1.SP5_CP04.1jpp.ep1.2.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jboss-vfs-0:1.0.0-1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jbossweb-0:2.0.0-6.CP09.0jpp.ep1.1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jbossws-jboss42-0:1.2.1-1.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
jgroups-1:2.4.5-2.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
rh-eap-docs-0:4.2.0-5.GA_CP06.ep1.3.1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
tanukiwrapper-0:3.2.1-2jpp.ep1.2.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
ws-commons-policy-0:1.0-2jpp.ep1.7.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
ws-scout0-0:0.7-0.rc2.4.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 RHSA-2009:0348 2009-03-06T00:00:00Z
Red Hat JBoss Enterprise Application Platform 4.3 for RHEL 4
glassfish-jaxb-0:2.1.4-1.6.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
glassfish-jsf-0:1.2_10-0jpp.ep1.5.ep5.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
hibernate3-1:3.2.4-1.SP1_CP07.0jpp.ep1.14.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jacorb-0:2.3.0-1jpp.ep1.7.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jakarta-commons-fileupload-1:1.1.1-3jpp.ep1.2.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jakarta-commons-io-0:1.1-0.20051005.2jpp_1rh cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jakarta-commons-logging-jboss-0:1.1-4.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jbossas-0:4.3.0-3.GA_CP04.3.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jboss-cache-0:1.4.1-6.SP11.1.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jboss-jaxr-0:1.2.0-SP2.0jpp.ep1.3.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jboss-messaging-0:1.4.0-2.SP3_CP07.1.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jboss-remoting-0:2.2.2-3.SP11.0jpp.ep1.1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.14.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jbossts-1:4.2.3-1.SP5_CP04.1jpp.ep1.1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jboss-vfs-0:1.0.0-1.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jbossweb-0:2.0.0-6.CP09.0jpp.ep1.1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jbossws-0:2.0.1-3.SP2_CP05.4.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jbossws-common-0:1.0.0-2.GA_CP03.1.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jbossws-framework-0:2.0.1-1.GA_CP03.2.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
jgroups-1:2.4.5-2.ep1.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
rh-eap-docs-0:4.3.0-4.GA_CP04.ep1.3.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
tanukiwrapper-0:3.2.1-2jpp.ep1.2.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
ws-commons-policy-0:1.0-2jpp.ep1.7.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
ws-scout0-0:0.7-0.rc2.4.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
xalan-j2-0:2.7.0-2jpp.ep1.5.el4 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 RHSA-2009:0347 2009-03-06T00:00:00Z
Red Hat JBoss Enterprise Application Platform 4.3 for RHEL 5
glassfish-jaxb-0:2.1.4-1.6.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
glassfish-jsf-0:1.2_10-0jpp.ep1.5.ep5.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
hibernate3-1:3.2.4-1.SP1_CP07.0jpp.ep1.14.1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jacorb-0:2.3.0-1jpp.ep1.7.1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jakarta-commons-logging-jboss-0:1.1-4.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jbossas-0:4.3.0-3.GA_CP04.2.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jboss-cache-0:1.4.1-6.SP11.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jboss-jaxr-0:1.2.0-SP2.0jpp.ep1.3.2.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jboss-messaging-0:1.4.0-2.SP3_CP07.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jboss-remoting-0:2.2.2-3.SP11.0jpp.ep1.1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.10.el5.1 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jbossts-1:4.2.3-1.SP5_CP04.1jpp.ep1.2.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jboss-vfs-0:1.0.0-1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jbossweb-0:2.0.0-6.CP09.0jpp.ep1.1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jbossws-0:2.0.1-3.SP2_CP05.3.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jbossws-common-0:1.0.0-2.GA_CP03.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jbossws-framework-0:2.0.1-1.GA_CP03.2.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
jgroups-1:2.4.5-2.1.ep1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
rh-eap-docs-0:4.3.0-4.GA_CP04.ep1.3.1.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
tanukiwrapper-0:3.2.1-2jpp.ep1.2.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
ws-commons-policy-0:1.0-2jpp.ep1.7.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
ws-scout0-0:0.7-0.rc2.4.el5 cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 RHSA-2009:0349 2009-03-06T00:00:00Z
References
Link Providers
http://rhn.redhat.com/errata/RHSA-2009-0346.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2009-0347.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2009-0348.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2009-0349.html cve-icon cve-icon
http://secunia.com/advisories/34112 cve-icon cve-icon
http://www.securityfocus.com/bid/34023 cve-icon cve-icon
http://www.securitytracker.com/id?1021817 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=479668 cve-icon cve-icon
https://jira.jboss.org/jira/browse/JBPAPP-1548 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2009-0027 cve-icon
https://www.cve.org/CVERecord?id=CVE-2009-0027 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-03-09T21:00:00

Updated: 2024-08-07T04:17:10.514Z

Reserved: 2008-12-15T00:00:00

Link: CVE-2009-0027

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2009-03-09T21:30:00.170

Modified: 2024-11-21T00:58:54.017

Link: CVE-2009-0027

cve-icon Redhat

Severity : Moderate

Publid Date: 2009-03-06T00:00:00Z

Links: CVE-2009-0027 - Bugzilla