{"containers": {"cna": {"affected": [{"product": "JBoss EAP", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "6"}]}], "descriptions": [{"lang": "en", "value": "In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization. Although this is an intended functionality, it was not clearly documented which can mislead users into thinking that a security domain cache is isolated to a single application."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-02T19:09:51", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0169"}, {"tags": ["x_refsource_MISC"], "url": "https://access.redhat.com/security/cve/cve-2014-0169"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:05:39.132Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0169"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://access.redhat.com/security/cve/cve-2014-0169"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-0169", "datePublished": "2020-01-02T19:09:51", "dateReserved": "2013-12-03T00:00:00", "dateUpdated": "2024-08-06T09:05:39.132Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B142ACCC-F7A9-4A3B-BE60-0D6691D5058D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization. Although this is an intended functionality, it was not clearly documented which can mislead users into thinking that a security domain cache is isolated to a single application."}, {"lang": "es", "value": "En JBoss EAP versi\u00f3n 6, un dominio de seguridad est\u00e1 configurado para usar una cach\u00e9 que es compartida entre todas las aplicaciones que est\u00e1n en el dominio de seguridad. Esto podr\u00eda permitir a un usuario autenticado en una aplicaci\u00f3n acceder a recursos protegidos en otra aplicaci\u00f3n sin la autorizaci\u00f3n apropiada. Aunque esta es una funcionalidad prevista, no fue documentada claramente lo que puede inducir a  usuarios a pensar erradamente que una cach\u00e9 de dominio de seguridad est\u00e1 aislada en una \u00fanica aplicaci\u00f3n."}], "id": "CVE-2014-0169", "lastModified": "2024-11-21T02:01:32.593", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-02T20:15:16.663", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/cve-2014-0169"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0169"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/cve-2014-0169"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0169"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Ondrej Lukas (Red Hat JBoss EAP Quality Engineering team).", "bugzilla": {"description": "EAP: cache is shared between all applications in a security domain", "id": "1084841", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1084841"}, "csaw": false, "cvss": {"cvss_base_score": "4.0", "cvss_scoring_vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "status": "draft"}, "details": ["In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization. Although this is an intended functionality, it was not clearly documented which can mislead users into thinking that a security domain cache is isolated to a single application."], "name": "CVE-2014-0169", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Affected", "package_name": "doc-Security_Guide", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "others", "product_name": "Red Hat JBoss Enterprise Web Server 1"}], "public_date": "2014-04-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-0169\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0169"], "statement": "The fix for this flaw has been determined to be an addition to documentation. An admonition has been added to the relevant documentation that explain security domain usage in Red Hat JBoss Enterprise Application Platform 6. No security advisory will be published for this fix.", "threat_severity": "Moderate"}