CVE-2017-12167: Infoleak
First published: Thu Sep 14 2017(Updated: )
It was found in EAP 7 before 7.0.9 that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users logged in to the system.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| JBoss Enterprise Application Platform | <7.0.9 | |
| JBoss Enterprise Application Platform | =7.1.0 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| JBoss Enterprise Application Platform | =7.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/100903
- https://access.redhat.com/errata/RHSA-2017:3454
- https://access.redhat.com/errata/RHSA-2017:3455
- https://access.redhat.com/errata/RHSA-2017:3456
- https://access.redhat.com/errata/RHSA-2017:3458
- https://access.redhat.com/errata/RHSA-2018:0002
- https://access.redhat.com/errata/RHSA-2018:0003
- https://access.redhat.com/errata/RHSA-2018:0004
- https://access.redhat.com/errata/RHSA-2018:0005
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12167
- https://bugzilla.redhat.com/show_bug.cgi?id=1491612
Frequently Asked Questions
What is the severity of CVE-2017-12167?
CVE-2017-12167 is considered a high-severity vulnerability due to the exposure of sensitive user and role mapping information.
How do I fix CVE-2017-12167?
To fix CVE-2017-12167, upgrade to a version of JBoss Enterprise Application Platform that is 7.0.9 or later.
What systems are affected by CVE-2017-12167?
CVE-2017-12167 affects JBoss Enterprise Application Platform versions prior to 7.0.9 and the exact version 7.1.0.
What impact does CVE-2017-12167 have on user data?
CVE-2017-12167 can lead to unauthorized access to user role mapping data, potentially compromising security.
Is there a workaround for CVE-2017-12167 if I cannot upgrade?
There is no official workaround for CVE-2017-12167, and upgrading is the recommended action to mitigate the risk.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-12167
- agent/severity
- agent/weakness
- agent/author
- agent/references
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/redhat
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/7.1.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0
- version/jboss enterprise application platform/7.0.0