-
Bug
-
Resolution: Done
-
Critical
-
JBossAS-3.2.5 Final, JBossAS-4.0.0 Final, JBossAS-3.2.6 Final, JBossAS-3.2.7 Final, JBossAS-4.0.1 Final, JBossAS-4.0.1 SP1, JBossAS-4.0.2 Final, JBossAS-4.0.3 Final, JBossAS-3.2.8 Final, JBossAS-3.2.8.SP1, JBossAS-4.0.4.GA, JBossAS-4.0.5.GA
-
None
-
Workaround Exists
-
Symantec discovered a flaw in the DeploymentFileRepository
class of the JBoss application server. A remote attacker who
is able to access the console manager could read or write to
files with the permissions of the JBoss user. This could
potentially lead to arbitrary code execution as the JBoss
user. (CVE-2006-5750)
Please note that the JBoss console manager should always be
secured prior to deployment. By default, the JBoss installer
gives users the ability to password protect the console
manager, limiting an attack using this vulnerability to
authorised users. These steps can also be performed manually.
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss
This vulnerability afffects all JBoss releases from v3.2.4 to v.4.0.5
- relates to
-
JBAS-4621 error deploying admin-consoles in deploy is a link
- Closed