CVE-2017-12149

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score31.7230%

EPSS Percentile90.50th

Published2017年10月4日

Last Modified2026年4月21日

Vulnerability Description

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

Affected Platforms (CPE)

📦

Redhat

Jboss Enterprise Application Platform

All versions

📦

Redhat

Jboss Enterprise Application Platform

= 5.0.0

📦

Redhat

Jboss Enterprise Application Platform

= 5.0.1

📦

Redhat

Jboss Enterprise Application Platform

= 5.1.0

📦

Redhat

Jboss Enterprise Application Platform

= 5.1.1

📦

Redhat

Jboss Enterprise Application Platform

= 5.1.2

📦

Redhat

Jboss Enterprise Application Platform

= 5.2.0

📦

Redhat

Jboss Enterprise Application Platform

= 5.2.1

📦

Redhat

Jboss Enterprise Application Platform

= 5.2.2

References & Advisories

🔗 http://www.securityfocus.com/bid/100591

🔗 https://access.redhat.com/errata/RHSA-2018:1607

🔗 https://access.redhat.com/errata/RHSA-2018:1608

🔗 https://bugzilla.redhat.com/show_bug.cgi?id=1486220

🔗 https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149

🔗 http://www.securityfocus.com/bid/100591

🔗 https://access.redhat.com/errata/RHSA-2018:1607

🔗 https://access.redhat.com/errata/RHSA-2018:1608

Vulnerability Description

Affected Platforms (CPE)

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

Jboss Enterprise Application Platform

References & Advisories

相關漏洞威脅