CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
6.2 | $5k-$25k | 0.00 |
A vulnerability was found in Red Hat JBoss Operations Network 3 (Application Server Software). It has been classified as critical. Affected is some unknown processing. The manipulation with an unknown input leads to a use of externally-controlled input to select classes or code vulnerability. CWE is classifying the issue as CWE-470. The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. Exploits that have been published rely on ClassLoader properties that are exposed such as those in JON 3. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353. Note that while multiple products released patches for the original CVE-2014-0114 flaw, the reversion described by this CVE-2019-3834 flaw only occurred in JON 3.
The weakness was published 10/03/2019 as not defined bug report (Bugzilla). The advisory is available at bugzilla.redhat.com. This vulnerability is traded as CVE-2019-3834 since 01/03/2019. The exploitability is told to be difficult. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation calculated on 12/29/2023).
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
Similar entries are available at VDB-65341, VDB-65883, VDB-66840 and VDB-69281.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.2VulDB Meta Temp Score: 6.2
VulDB Base Score: 5.6
VulDB Temp Score: 5.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.3
NVD Vector: 🔍
CNA Base Score: 5.6
CNA Vector (Red Hat, Inc.): 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Use of externally-controlled input to select classes or codeCWE: CWE-470
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Timeline
01/03/2019 🔍10/03/2019 🔍
10/03/2019 🔍
12/29/2023 🔍
Sources
Vendor: redhat.comAdvisory: bugzilla.redhat.com
Status: Not defined
Confirmation: 🔍
CVE: CVE-2019-3834 (🔍)
See also: 🔍
Entry
Created: 10/03/2019 19:55Updated: 12/29/2023 21:35
Changes: 10/03/2019 19:55 (54), 09/20/2020 20:12 (1), 12/29/2023 21:35 (14)
Complete: 🔍
Cache ID: 18:790:103
No comments yet. Languages: en.
Please log in to comment.