| VID |
22470 |
| Severity |
20 |
| Port |
8080, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The JBoss EAP is vulnerable to an information disclosure vulnerability via the status servlet. JBoss Enterprise Application Platform (EAP) versions prior to 4.2.0.CP03, and 4.3.0 prior to 4.3.0.CP01, could allow a remote attacker to obtain sensitive information via a request to the status servlet, which is used to monitor sessions and requests sent to the server. A remote attack could exploit this flaw to obtain potentially sensitive details about "deployed web contexts".
* References:
https://bugzilla.redhat.com/show_bug.cgi?id=457757
http://jira.jboss.com/jira/browse/JBPAPP-544
* Platforms Affected:
JBoss, Jboss_enterprise_application_server versions prior to 4.2.0.CP03
JBoss, Jboss_enterprise_application_server versions 4.3.0 prior to 4.3.0.CP01 |
| Recommendation |
Upgrade to the latest version of JBoss EAP (4.2.0.CP03 / 4.3.0.CP01 or later), as listed in the JBoss Web site the http://jira.jboss.com/jira/browse/JBPAPP-544 |
| Related URL |
CVE-2008-3273 (CVE) |
| Related URL |
30540 (SecurityFocus) |
| Related URL |
(ISS) |
|
