CVE-2011-2908

Description

Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users for requests that perform operations on MBeans and possibly execute arbitrary code via unspecified vectors.

CVSS Metrics

• v2.0•MEDIUM•Score: 6AV:N/AC:M/Au:S/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.72%• Percentile: 73%

Techniques & Countermeasures

• CWE-352•Cross-Site Request Forgery (CSRF)

  The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Affected Systems

• redhat•jboss_enterprise_brms_platform

  5.3.0

• redhat•jboss_enterprise_portal_platform

  ≤ 5.2.1 | 5.0.0 | 5.0.1 | 5.1.0 | 5.1.1 | 5.2.0

• redhat•jboss_enterprise_soa_platform

  5.3.0

References (18)

• http://rhn.redhat.com/errata/RHSA-2012-1165.html
• http://www.securityfocus.com/bid/54915
• https://exchange.xforce.ibmcloud.com/vulnerabilities/77549
• http://secunia.com/advisories/50230
• http://rhn.redhat.com/errata/RHSA-2013-0192.html
• http://rhn.redhat.com/errata/RHSA-2013-0198.html
• http://rhn.redhat.com/errata/RHSA-2012-1152.html
• http://rhn.redhat.com/errata/RHSA-2013-0195.html
• http://rhn.redhat.com/errata/RHSA-2013-0196.html
• http://rhn.redhat.com/errata/RHSA-2013-0193.html
• http://secunia.com/advisories/51984
• http://secunia.com/advisories/50549
• https://bugzilla.redhat.com/show_bug.cgi?id=730176
• http://rhn.redhat.com/errata/RHSA-2013-0191.html
• http://rhn.redhat.com/errata/RHSA-2012-1232.html
• http://rhn.redhat.com/errata/RHSA-2013-0197.html
• http://rhn.redhat.com/errata/RHSA-2013-0194.html
• http://www.osvdb.org/84530