CVE-2017-12149NVD

Vulnerability Summary

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

Severity Level

CRITICAL(9.8)

Published Date

Oct 4, 2017

Last Modified

Apr 21, 2026

Exploitation Status

????

EPSS Score (30-Day)

94.29%Probability

Root Weakness (CWE)

CWE-502: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

http://www.securityfocus.com/bid/100591
https://access.redhat.com/errata/RHSA-2018:1607
https://access.redhat.com/errata/RHSA-2018:1608
https://bugzilla.redhat.com/show_bug.cgi?id=1486220
https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149
http://www.securityfocus.com/bid/100591
https://access.redhat.com/errata/RHSA-2018:1607
https://access.redhat.com/errata/RHSA-2018:1608
https://bugzilla.redhat.com/show_bug.cgi?id=1486220
https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12149

Critical Alert 3 Active Exploits Detected Today

Critical Alert

CVE Watchtower

CVE-2017-12149NVD

Vulnerability Summary

External References