Back to KEVs

CVE-2017-12149

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the...

Basic Information

CVE State
PUBLISHED
Reserved Date
August 01, 2017
Published Date
October 04, 2017
Last Updated
February 07, 2025
Vendor
Red Hat, Inc.
Product
jbossas
Description
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
Tags
cisa malware ransomware nuclei_scanner

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2021-12-10 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2023-08-06 12:11:43 UTC) Source
Used in Malware
Yes (added 2021-12-10 00:00:00 UTC) Source

References

https://bugzilla.redhat.com/show_bug.cgi?id=1486220 https://access.redhat.com/errata/RHSA-2018:1608 https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149 http://www.securityfocus.com/bid/100591 https://access.redhat.com/errata/RHSA-2018:1607

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-12-10 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-12149.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

JesseClarkND/CVE-2017-12149

Type: github • Created: 2024-04-30 18:40:48 UTC • Stars: 0

Update of https://github.com/1337g/CVE-2017-12149 to work with python3

MrE-Fog/jboss-_CVE-2017-12149

Type: github • Created: 2023-08-06 12:11:43 UTC • Stars: 0

VVeakee/CVE-2017-12149

Type: github • Created: 2022-04-14 13:24:51 UTC • Stars: 0

jreppiks/CVE-2017-12149

Type: github • Created: 2019-08-22 21:06:09 UTC • Stars: 12

Jboss Java Deserialization RCE (CVE-2017-12149)

1337g/CVE-2017-12149

Type: github • Created: 2017-12-22 07:30:29 UTC • Stars: 15

CVE-2017-12149 JBOSS RCE (TESTED)

yunxu1/jboss-_CVE-2017-12149

Type: github • Created: 2017-11-28 02:52:47 UTC • Stars: 206

CVE-2017-12149 jboss反序列化 可回显

sevck/CVE-2017-12149

Type: github • Created: 2017-11-21 10:48:24 UTC • Stars: 22

CVE-2017-12149 JBOSS as 6.X反序列化(反弹shell版)

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel

  • Proof of Concept Exploit Available

  • Detected by Nuclei