CVE-2012-4549

A flaw was found in JBoss Enterprise Application Platform. The `processInvocation` function within the `org.jboss.as.ejb3.security.AuthorizationInterceptor` component incorrectly authorizes all requests when no roles are defined for an Enterprise Java Beans (EJB) method invocation. This allows attackers to bypass intended access restrictions for EJB methods, leading to unauthorized access to sensitive functionalities.

CVSS v3 6.5 MEDIUM
CVSS v2.0 5.8 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2012-1591.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2012-1592.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2012-1594.html	Vendor Advisory
http://secunia.com/advisories/51607	Vendor Advisory
https://access.redhat.com/errata/RHSA-2012:1591
https://access.redhat.com/errata/RHSA-2012:1592
https://access.redhat.com/errata/RHSA-2012:1594
https://access.redhat.com/security/cve/CVE-2012-4549
http://rhn.redhat.com/errata/RHSA-2012-1591.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2012-1592.html	Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2012-1594.html	Vendor Advisory
http://secunia.com/advisories/51607	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform::::::::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.1:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.1:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.1:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.2:::::::*

History

14 May 2026, 23:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2012:1591 - () https://access.redhat.com/errata/RHSA-2012:1592 - () https://access.redhat.com/errata/RHSA-2012:1594 - () https://access.redhat.com/security/cve/CVE-2012-4549 -
Summary	(en) The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.	(en) A flaw was found in JBoss Enterprise Application Platform. The `processInvocation` function within the `org.jboss.as.ejb3.security.AuthorizationInterceptor` component incorrectly authorizes all requests when no roles are defined for an Enterprise Java Beans (EJB) method invocation. This allows attackers to bypass intended access restrictions for EJB methods, leading to unauthorized access to sensitive functionalities.
CWE		CWE-266
CVSS	v2 : ~~5.8~~ v3 : ~~unknown~~	v2 : 5.8 v3 : 6.5

21 Nov 2024, 01:43

Type	Values Removed	Values Added
References	~~() http://rhn.redhat.com/errata/RHSA-2012-1591.html - Vendor Advisory~~	() http://rhn.redhat.com/errata/RHSA-2012-1591.html - Vendor Advisory
References	~~() http://rhn.redhat.com/errata/RHSA-2012-1592.html - Vendor Advisory~~	() http://rhn.redhat.com/errata/RHSA-2012-1592.html - Vendor Advisory
References	~~() http://rhn.redhat.com/errata/RHSA-2012-1594.html - Vendor Advisory~~	() http://rhn.redhat.com/errata/RHSA-2012-1594.html - Vendor Advisory
References	~~() http://secunia.com/advisories/51607 - Vendor Advisory~~	() http://secunia.com/advisories/51607 - Vendor Advisory

Information

Published : 2013-01-05 00:55

Updated : 2026-05-14 23:16

NVD link : CVE-2012-4549

Mitre link : CVE-2012-4549

CVE.ORG link : CVE-2012-4549

JSON object : View

Products Affected

redhat

jboss_enterprise_application_platform

CWE

CWE-266

Incorrect Privilege Assignment

CWE-264

Permissions, Privileges, and Access Controls

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.8 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2012-4549

6.5^/10

5.8^/10

Attach tags to `CVE-2012-4549`