Description
The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the DownloadServerClasses property to true, which allows remote attackers to obtain sensitive information (non-EJB classes) via a download request, a different vulnerability than CVE-2008-3273.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| n/a | n/a | affected |
|
Configuration 1 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| JBEAP 4.2.0 for RHEL 4 | |||
| glassfish-javamail-0:1.4.0-0jpp.ep1.10.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 | RHSA-2008:0833 | 2008-09-22T00:00:00Z |
| hibernate3-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 | RHSA-2008:0833 | 2008-09-22T00:00:00Z |
| hibernate3-annotations-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 | RHSA-2008:0833 | 2008-09-22T00:00:00Z |
| hibernate3-validator-0:0.0.0-1.1jpp.ep1.1.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 | RHSA-2008:0833 | 2008-09-22T00:00:00Z |
| jboss-aop-0:1.5.5-2.CP02.0jpp.ep1.2.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 | RHSA-2008:0833 | 2008-09-22T00:00:00Z |
| jbossas-0:4.2.0-3.GA_CP04.ep1.8.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 | RHSA-2008:0833 | 2008-09-22T00:00:00Z |
| jboss-remoting-0:2.2.2-3.SP9.0jpp.ep1.1.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 | RHSA-2008:0833 | 2008-09-22T00:00:00Z |
| jboss-seam-0:1.2.1-1.ep1.10.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 | RHSA-2008:0833 | 2008-09-22T00:00:00Z |
| jbossts-1:4.2.3-1.SP5_CP02.1jpp.ep1.1.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 | RHSA-2008:0833 | 2008-09-22T00:00:00Z |
| jbossweb-0:2.0.0-4.CP06.0jpp.ep1.1.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 | RHSA-2008:0833 | 2008-09-22T00:00:00Z |
| rh-eap-docs-0:4.2.0-4.GA_CP04.ep1.5.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4 | RHSA-2008:0833 | 2008-09-22T00:00:00Z |
| JBEAP 4.2.0 for RHEL 5 | |||
| hibernate3-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 | RHSA-2008:0834 | 2008-09-22T00:00:00Z |
| hibernate3-annotations-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el5.1 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 | RHSA-2008:0834 | 2008-09-22T00:00:00Z |
| jboss-aop-0:1.5.5-2.CP02.0jpp.ep1.2.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 | RHSA-2008:0834 | 2008-09-22T00:00:00Z |
| jbossas-0:4.2.0-4.GA_CP04.ep1.7.el5.6 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 | RHSA-2008:0834 | 2008-09-22T00:00:00Z |
| jboss-remoting-0:2.2.2-3.SP9.0jpp.ep1.2.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 | RHSA-2008:0834 | 2008-09-22T00:00:00Z |
| jboss-seam-0:1.2.1-1.ep1.9.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 | RHSA-2008:0834 | 2008-09-22T00:00:00Z |
| jbossts-1:4.2.3-1.SP5_CP02.1jpp.ep1.2.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 | RHSA-2008:0834 | 2008-09-22T00:00:00Z |
| jbossweb-0:2.0.0-4.CP06.0jpp.ep1.1.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 | RHSA-2008:0834 | 2008-09-22T00:00:00Z |
| rh-eap-docs-0:4.2.0-4.GA_CP04.ep1.3.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5 | RHSA-2008:0834 | 2008-09-22T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 4.3 for RHEL 4 | |||
| glassfish-javamail-0:1.4.0-0jpp.ep1.10.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| glassfish-jaxb-0:2.1.4-1jpp.ep1.2.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| glassfish-jaxws-0:2.1.1-1jpp.ep1.3.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| hibernate3-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| hibernate3-annotations-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| hibernate3-validator-0:0.0.0-1.1jpp.ep1.1.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| javassist-0:3.8.0-1.ep1.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| jboss-aop-0:1.5.5-2.CP02.0jpp.ep1.2.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| jbossas-0:4.3.0-2.GA_CP02.ep1.10.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| jboss-messaging-0:1.4.0-1.SP3_CP03.0jpp.ep1.3.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| jboss-remoting-0:2.2.2-3.SP9.0jpp.ep1.1.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.10.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| jbossts-1:4.2.3-1.SP5_CP02.1jpp.ep1.1.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| jbossweb-0:2.0.0-4.CP06.0jpp.ep1.1.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| jbossws-0:2.0.1-2.SP2_CP03.0jpp.ep1.1.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| jbossws-common-0:1.0.0-1.GA_CP01.0jpp.ep1.3.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| jbossws-framework-0:2.0.1-0jpp.ep1.11.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| rh-eap-docs-0:4.3.0-3.GA_CP02.ep1.9.el4 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el4 | RHSA-2008:0831 | 2008-09-22T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 4.3 for RHEL 5 | |||
| glassfish-jaf-0:1.1.0-0jpp.ep1.12.el5.1 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| glassfish-javamail-0:1.4.0-0jpp.ep1.10.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| glassfish-jaxb-0:2.1.4-1jpp.ep1.4.el5.2 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| glassfish-jaxws-0:2.1.1-1jpp.ep1.3.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| glassfish-jstl-0:1.2.0-0jpp.ep1.10.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| hibernate3-1:3.2.4-1.SP1_CP04.0jpp.ep1.3.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| hibernate3-annotations-0:3.2.1-4.GA_CP02.1jpp.ep1.7.el5.1 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| hibernate3-commons-annotations-0:0.0.0-1.1jpp.ep1.1.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| hibernate3-entitymanager-0:3.2.1-2.GA_CP03.1jpp.ep1.9.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| hibernate3-validator-0:0.0.0-1.1jpp.ep1.1.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| javassist-0:3.8.0-1jpp.ep1.2.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jboss-aop-0:1.5.5-2.CP02.0jpp.ep1.2.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jbossas-0:4.3.0-2.GA_CP02.ep1.10.el5.2 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jboss-jaxr-0:1.2.0-SP1.0jpp.ep1.4.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jboss-messaging-0:1.4.0-1.SP3_CP03.0jpp.ep1.3.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jboss-remoting-0:2.2.2-3.SP9.0jpp.ep1.2.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jboss-seam-0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.7.el5.1 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jbossts-1:4.2.3-1.SP5_CP02.1jpp.ep1.2.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jbossweb-0:2.0.0-4.CP06.0jpp.ep1.1.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jbossws-0:2.0.1-2.SP2_CP03.0jpp.ep1.1.el5.1 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jbossws-common-0:1.0.0-1.GA_CP01.0jpp.ep1.3.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jbossws-framework-0:2.0.1-0jpp.ep1.11.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| jbossxb-0:1.0.0-2.SP3.0jpp.ep1.3.el5.1 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
| rh-eap-docs-0:4.3.0-2.GA_CP02.ep1.6.el5 | cpe:/a:redhat:jboss_enterprise_application_platform:4.3.0::el5 | RHSA-2008:0832 | 2008-09-22T00:00:00Z |
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2008-3505 | The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the DownloadServerClasses property to true, which allows remote attackers to obtain sensitive information (non-EJB classes) via a download request, a different vulnerability than CVE-2008-3273. |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2024-08-07T09:45:17.958Z
Reserved: 2008-08-07T00:00:00.000Z
Link: CVE-2008-3519
Vulnrichment
No data.
NVD
Status : Modified
Published: 2008-09-23T15:24:43.313
Modified: 2026-04-23T00:35:47.467
Link: CVE-2008-3519
Redhat
OpenCVE Enrichment
No data.
Weaknesses