CVE-2017-12149

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score31.7230%

EPSS Percentile90.50th

PublishedOct 4, 2017

Last ModifiedApr 21, 2026

Vulnerability Description

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

Affected Platforms (CPE)

📦

Redhat

Jboss Enterprise Application Platform

All versions

📦

Redhat

Jboss Enterprise Application Platform

= 5.0.0

📦

Redhat

Jboss Enterprise Application Platform

= 5.0.1

📦

Redhat

Jboss Enterprise Application Platform

= 5.1.0

📦

Redhat

Jboss Enterprise Application Platform

= 5.1.1

📦

Redhat

Jboss Enterprise Application Platform

= 5.1.2

📦

Redhat

Jboss Enterprise Application Platform

= 5.2.0

📦

Redhat

Jboss Enterprise Application Platform

= 5.2.1

📦

Redhat

Jboss Enterprise Application Platform

= 5.2.2

References & Advisories

🔗 http://www.securityfocus.com/bid/100591

🔗 https://access.redhat.com/errata/RHSA-2018:1607

🔗 https://access.redhat.com/errata/RHSA-2018:1608

🔗 https://bugzilla.redhat.com/show_bug.cgi?id=1486220

🔗 https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149

🔗 http://www.securityfocus.com/bid/100591

🔗 https://access.redhat.com/errata/RHSA-2018:1607

🔗 https://access.redhat.com/errata/RHSA-2018:1608

Vulnerability Description

Affected Platforms (CPE)

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

References & Advisories

Related Vulnerabilities