CVE-2017-12149
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat, Inc. | jbossas | n/a | affected |
Weaknesses
- CWE-502: CWE-502
ADP Enrichment
CVE Program Container
Additional References
- https://bugzilla.redhat.com/show_bug.cgi?id=1486220
- https://access.redhat.com/errata/RHSA-2018:1608
- https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149
- http://www.securityfocus.com/bid/100591
- https://access.redhat.com/errata/RHSA-2018:1607
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: yes
- Technical Impact: total
Additional References
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1486220
- https://access.redhat.com/errata/RHSA-2018:1608
- https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149
- http://www.securityfocus.com/bid/100591
- https://access.redhat.com/errata/RHSA-2018:1607
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.