Required CVE Record Information
Description
The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the DownloadServerClasses property to true, which allows remote attackers to obtain sensitive information (non-EJB classes) via a download request, a different vulnerability than CVE-2008-3273.
References 10 Total
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=458823
- http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp02/html-single/readme/index.html
- http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp04/html-single/readme/index.html
- redhat.com: RHSA-2008:0832 vendor-advisory
- redhat.com: RHSA-2008:0833 vendor-advisory
- redhat.com: RHSA-2008:0831 vendor-advisory
- redhat.com: RHSA-2008:0834 vendor-advisory
- securityfocus.com: 31300 vdb-entry
- exchange.xforce.ibmcloud.com: jboss-downloadserverclasses-info-disclosure(45305) vdb-entry
- securitytracker.com: 1020905 vdb-entry
Updated:
This container includes required additional information provided by the CVE Program for this vulnerability.
References 10 Total
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=458823 x_transferred
- http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp02/html-single/readme/index.html x_transferred
- http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp04/html-single/readme/index.html x_transferred
- redhat.com: RHSA-2008:0832 vendor-advisoryx_transferred
- redhat.com: RHSA-2008:0833 vendor-advisoryx_transferred
- redhat.com: RHSA-2008:0831 vendor-advisoryx_transferred
- redhat.com: RHSA-2008:0834 vendor-advisoryx_transferred
- securityfocus.com: 31300 vdb-entryx_transferred
- exchange.xforce.ibmcloud.com: jboss-downloadserverclasses-info-disclosure(45305) vdb-entryx_transferred
- securitytracker.com: 1020905 vdb-entryx_transferred