PT-2008-4911 · Red Hat · Red Hat Jboss Enterprise Application Platform
Marc Schoenefeld
·
Published
2008-09-23
·
Updated
2017-08-08
·
CVE-2008-3519
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP) versions 4.2 before CP04 and 4.3 before CP02
Description
The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform allows remote attackers to obtain sensitive information via a download request when a production environment is enabled. This occurs because the DownloadServerClasses property is set to true by default.
Recommendations
For Red Hat JBoss Enterprise Application Platform version 4.2 before CP04, update to CP04 or later to resolve the issue.
For Red Hat JBoss Enterprise Application Platform version 4.3 before CP02, update to CP02 or later to resolve the issue.
As a temporary workaround, consider setting the DownloadServerClasses property to false to prevent remote attackers from obtaining sensitive information.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Red Hat Jboss Enterprise Application Platform