PT-2013-1816 · Red Hat · Red Hat Jboss Enterprise Application Platform+1
David Jorm
·
Published
2013-03-12
·
Updated
2023-02-13
·
CVE-2012-5629
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
JBoss Enterprise Application Platform (EAP) versions 4.3.0 CP10 through 6.0.1
JBoss Enterprise Web Platform (EWP) version 5.2.0
Description
The default configuration of the LdapLoginModule and LdapExtLoginModule modules allows remote attackers to bypass authentication via an empty password.
Recommendations
For JBoss Enterprise Application Platform (EAP) versions 4.3.0 CP10 through 6.0.1, update the configuration to disallow empty passwords.
For JBoss Enterprise Web Platform (EWP) version 5.2.0, update the configuration to disallow empty passwords.
As a temporary workaround, consider disabling the LdapLoginModule and LdapExtLoginModule modules until a proper configuration update can be applied.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Red Hat Jboss Enterprise Application Platform
Jboss Enterprise Web Platform