{"containers": {"cna": {"affected": [{"product": "jbossas", "vendor": "Red Hat, Inc.", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-08-29T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-19T09:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1486220"}, {"name": "RHSA-2018:1608", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1608"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149"}, {"name": "100591", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100591"}, {"name": "RHSA-2018:1607", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1607"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T18:28:16.644Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1486220"}, {"name": "RHSA-2018:1608", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1608"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149"}, {"name": "100591", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100591"}, {"name": "RHSA-2018:1607", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1607"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2017-12149", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-07T13:29:56.795928Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-12-10", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12149"}}}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12149", "tags": ["government-resource"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "timeline": [{"time": "2021-12-10T00:00:00+00:00", "lang": "en", "value": "CVE-2017-12149 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T23:55:31.822Z"}}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-12149", "dateReserved": "2017-08-01T00:00:00.000Z", "dateUpdated": "2025-10-21T23:55:31.822Z", "state": "PUBLISHED", "datePublished": "2017-10-04T20:00:00.000Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"containers": {"cna": {"affected": [{"product": "jbossas", "vendor": "Red Hat, Inc.", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-08-29T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-05-19T09:57:01.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1486220"}, {"name": "RHSA-2018:1608", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1608"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149"}, {"name": "100591", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100591"}, {"name": "RHSA-2018:1607", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1607"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T18:28:16.644Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1486220"}, {"name": "RHSA-2018:1608", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1608"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149"}, {"name": "100591", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100591"}, {"name": "RHSA-2018:1607", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1607"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2017-12149", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-07T13:29:56.795928Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-12-10", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12149"}}}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12149", "tags": ["government-resource"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T13:23:01.215Z"}, "timeline": [{"time": "2021-12-10T00:00:00+00:00", "lang": "en", "value": "CVE-2017-12149 added to CISA KEV"}], "title": "CISA ADP Vulnrichment"}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-12149", "dateReserved": "2017-08-01T00:00:00.000Z", "dateUpdated": "2025-10-21T19:55:31.535Z", "state": "PUBLISHED", "datePublished": "2017-10-04T20:00:00.000Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"cisaActionDue": "2022-06-10", "cisaExploitAdd": "2021-12-10", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Red Hat JBoss Application Server Remote Code Execution Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F5D7F1AD-4BD3-4C37-B6B5-B287464B2EEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "76D8FCD1-55D5-4187-87DD-39904EDE2EF8", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "972C5C87-E982-44A5-866D-FDEACB5203B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "C13890AE-5FDE-4698-8A2E-1B2FA0A313AF", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "8A785F07-9B76-4153-B676-29C9682B2F73", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "46849C8D-36E9-4E97-BB49-E04F4EB199E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "99D29C15-4423-4EB1-BF7F-7081B4EE6416", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "E66331CF-15C6-424A-90F8-F8F4FD3EC1E5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data."}, {"lang": "es", "value": "En Jboss Application Server tal y como se distribuye con Red Hat Enterprise Application Platform 5.2, se ha descubierto que el m\u00e9todo doFilter en el ReadOnlyAccessFilter del invocador HTTP no restringe las clases para las que realiza la deserializaci\u00f3n y, por lo tanto, permite que un atacante ejecute c\u00f3digo arbitrario mediante datos serializados manipulados."}], "id": "CVE-2017-12149", "lastModified": "2025-10-22T00:16:02.640", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2017-10-04T21:01:00.180", "references": [{"source": "secalert@redhat.com", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100591"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1607"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1608"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1486220"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100591"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1607"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1608"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1486220"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12149"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Joao F M Figueiredo for reporting this issue.", "affected_release": [{"advisory": "RHSA-2018:1608", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "package": "eap-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 5.2 security update", "release_date": "2018-05-17T00:00:00Z"}, {"advisory": "RHSA-2018:1607", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5", "package": "jbossas-0:5.2.0-24.ep5.el5", "product_name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5", "release_date": "2018-05-17T00:00:00Z"}, {"advisory": "RHSA-2018:1607", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6", "package": "jbossas-0:5.2.0-24.ep5.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6", "release_date": "2018-05-17T00:00:00Z"}], "bugzilla": {"description": "jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker.", "id": "1486220", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1486220"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.", "It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization. This allows an attacker to execute arbitrary code via crafted serialized data."], "mitigation": {"lang": "en:us", "value": "Secure the access to the entire http-invoker contexts by adding <url-pattern>/*</url-pattern> to the security-constraints in the web.xml file of the http-invoker.sar.The users who do not wish to use the http-invoker.sar can remove it."}, "name": "CVE-2017-12149", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "eap-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "eap-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}], "public_date": "2017-08-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-12149\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-12149\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "statement": "Red Hat JBoss Enterprise Application Platform 6 and 7 do not ship the http invoker so they are not affected.", "threat_severity": "Critical"}