CVE-2012-4549 MEDIUM

CVE-2012-4549: Jboss enterprise application platform: org.jboss.as.ejb3: jboss enterprise application platform: access restriction bypass via improper ejb method authorization

Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform 6.0
Weakness CWE-266
Published January 5, 2013
Last update May 14, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A flaw was found in JBoss Enterprise Application Platform. The `processInvocation` function within the `org.jboss.as.ejb3.security.AuthorizationInterceptor` component incorrectly authorizes all requests when no roles are defined for an Enterprise Java Beans (EJB) method invocation. This allows attackers to bypass intended access restrictions for EJB methods, leading to unauthorized access to sensitive functionalities.

Key dates

02Disclosure timeline

January 5, 2013 CVE published
May 14, 2026 Record updated