Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2010-0738

Disclosure Date: April 28, 2010 •

Exploited in the Wild

Reported by gwillcox-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

JBoss Java Class DeploymentFileRepository WAR Deployment

JBoss Vulnerability Scanner

SAP URL Scanner

See More

Description

The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application’s GET handler by using a different method.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

Metasploit Modules

JBoss Java Class DeploymentFileRepository WAR Deployment (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jboss_deploymentfilerepository.rb)

JBoss Vulnerability Scanner (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/jboss_vulnscan.rb)

SAP URL Scanner (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb)

JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/jboss_deploymentfilerepository.rb)

JBoss JMX Console Beanshell Deployer WAR Upload and Deployment (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jboss_bshdeployer.rb)

JBoss JMX Console Deployer Upload and Execute (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jboss_maindeployer.rb)

JBoss JMX Console Beanshell Deployer WAR Upload and Deployment (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/jboss_bshdeployer.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: June 03, 2022 8:05pm UTC (7 months ago)

References

Canonical

CVE-2010-0738 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738)

BID-39710 (http://www.securityfocus.com/bid/39710)

Advisory

https://rhn.redhat.com/errata/RHSA-2010-0379.html

https://rhn.redhat.com/errata/RHSA-2010-0378.html

https://bugzilla.redhat.com/show_bug.cgi?id=574105

https://rhn.redhat.com/errata/RHSA-2010-0376.html

SREASON-8408 (http://securityreason.com/securityalert/8408)

https://rhn.redhat.com/errata/RHSA-2010-0377.html

http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=35

ADV-2010-0992 (http://www.vupen.com/english/advisories/2010/0992)

HPSBMU02714 (http://marc.info?l=bugtraq&m=132129312609324&w=2)

XF-jboss-jmxconsole-security-bypass(58147) (https://exchange.xforce.ibmcloud.com/vulnerabilities/58147)

SECUNIA-39563 (http://secunia.com/advisories/39563)

SECTRACK-1023918 (http://securitytracker.com/id?1023918)

Rapid7

Technical Analysis