Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-3519

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2008-3519
Last Modified 07 Mar 2009 01:25:13
Published 23 Sep 2008 11:24:43
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-3519

Summary

The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the DownloadServerClasses property to true, which allows remote attackers to obtain sensitive information (non-EJB classes) via a download request, a different vulnerability than CVE-2008-3273.

Vulnerable Systems

Application

  • Redhat Jboss Enterprise Application Platform 4.2

  • Redhat Jboss Enterprise Application Platform 4.3


References

MISC - http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp02/html-single/readme/index.html

MISC - http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp04/html-single/readme/index.html

XF - jboss-downloadserverclasses-info-disclosure(45305)

SECTRACK - 1020905

BID - 31300

REDHAT - RHSA-2008:0834

REDHAT - RHSA-2008:0833

REDHAT - RHSA-2008:0832

REDHAT - RHSA-2008:0831

CONFIRM - http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=458823


Last Updated: 27 May 2016 10:48:12