The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-01-05T00:00:00Z

Updated: 2024-08-06T20:42:54.149Z

Reserved: 2012-08-21T00:00:00Z

Link: CVE-2012-4549

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2013-01-05T00:55:02.947

Modified: 2024-11-21T01:43:06.917

Link: CVE-2012-4549

cve-icon Redhat

Severity : Moderate

Publid Date: 2012-12-18T00:00:00Z

Links: CVE-2012-4549 - Bugzilla