Bug#562000: CVE-2009-0027 CVE-2009-1380 CVE-2009-3554 CVE-2009-2405
Giuseppe Iuculano
iuculano at debian.org
Mon Dec 21 21:54:50 UTC 2009
Package: jbossas4
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for jbossas4.
CVE-2009-0027[0]:
| The request handler in JBossWS in JBoss Enterprise Application
| Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before
| 4.3.0.CP04 does not properly validate the resource path during a
| request for a WSDL file with a custom web-service endpoint, which
| allows remote attackers to read arbitrary XML files via a crafted
| request.
CVE-2009-1380[1]:
| Cross-site scripting (XSS) vulnerability in JMX-Console in JBossAs in
| Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP)
| 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07 allows remote
| attackers to inject arbitrary web script or HTML via the filter
| parameter, related to the key property and the position of quote and
| colon characters.
CVE-2009-3554[2]:
| Twiddle in Red Hat JBoss Enterprise Application Platform (aka JBoss
| EAP or JBEAP) 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07 writes
| the JMX password, and other command-line arguments, to the twiddle.log
| file, which allows local users to obtain sensitive information by
| reading this file.
CVE-2009-2405[3]:
| Multiple cross-site scripting (XSS) vulnerabilities in the Web Console
| in the Application Server in Red Hat JBoss Enterprise Application
| Platform (aka JBoss EAP or JBEAP) 4.2.0 before 4.2.0.CP08, 4.2.2GA,
| 4.3 before 4.3.0.CP07, and 5.1.0GA allow remote attackers to inject
| arbitrary web script or HTML via the (1) monitorName, (2) objectName,
| (3) attribute, or (4) period parameter to createSnapshot.jsp, or the
| (5) monitorName, (6) objectName, (7) attribute, (8) threshold, (9)
| period, or (10) enabled parameter to createThresholdMonitor.jsp. NOTE:
| some of these details are obtained from third party information.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0027
http://security-tracker.debian.org/tracker/CVE-2009-0027
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1380
http://security-tracker.debian.org/tracker/CVE-2009-1380
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3554
http://security-tracker.debian.org/tracker/CVE-2009-3554
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2405
http://security-tracker.debian.org/tracker/CVE-2009-2405
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksv7qcACgkQNxpp46476aphLwCfTWuBeFcKRy9eqXVb8Npt+8GS
7+cAn0zrtf4pK7R0BikWy2Qxxzphq1EA
=5rGT
-----END PGP SIGNATURE-----
More information about the pkg-java-maintainers
mailing list