Description

Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression.

References

• BID-39710
• CVE-2010-1429
• REDHAT-RHSA-2010:0376
• REDHAT-RHSA-2010:0377
• REDHAT-RHSA-2010:0378
• REDHAT-RHSA-2010:0379
• URL: http://marc.info/?l=bugtraq&m=132698550418872&w=2
• URL: http://securitytracker.com/id?1023918
• URL: http://www.securityfocus.com/bid/39710
• URL: http://www.vupen.com/english/advisories/2010/0992
• URL: http://xforce.iss.net/xforce/xfdb/58149
• URL: https://bugzilla.redhat.com/show_bug.cgi?id=585900
• URL: https://rhn.redhat.com/errata/RHSA-2010-0376.html
• URL: https://rhn.redhat.com/errata/RHSA-2010-0377.html
• URL: https://rhn.redhat.com/errata/RHSA-2010-0378.html
• URL: https://rhn.redhat.com/errata/RHSA-2010-0379.html
• XF-58149

Solution

Related Vulnerabilities

• RHSA-2010:0376: JBoss Enterprise Application Platform 4.2.0.CP09 update
• JBoss deployed web contexts information disclosure vulnerability
• RHSA-2010:0378: JBoss Enterprise Application Platform 4.2.0.CP09 update
• RHSA-2010:0379: JBoss Enterprise Application Platform 4.3.0.CP08 update
• JBoss web console incomplete security restraints information disclosure vulnerability
• Red Hat JBoss: CVE-2010-1428: A remote attacker could gain access to sensitive information.
• JBoss JMX-Console incomplete security restraints access vulnerability
• RHSA-2010:0377: JBoss Enterprise Application Platform 4.3.0.CP08 update
• Red Hat JBoss: CVE-2010-0738: Remote attackers can send requests to the application's GET handler by using a different method.