Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2017-12149
PUBLISHEDIn Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the...
- Vendor
- Red Hat, Inc.
- Product
- jbossas
- Published
- Oct 04, 2017
- EPSS
- —
Description
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/Au:N/C:P/I:P/A:P
SSVC decision points
- Exploitation
- active
- Automatable
- Yes
- Technical impact
- total
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Dec 10, 2021 |
| CISA | Dec 10, 2021 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-12149.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-04-30 18:40:48 UTC · 0 stars
Update of https://github.com/1337g/CVE-2017-12149 to work with python3
github · Created 2023-08-06 12:11:43 UTC · 0 stars
github · Created 2022-04-14 13:24:51 UTC · 0 stars
github · Created 2019-08-22 21:06:09 UTC · 12 stars
Jboss Java Deserialization RCE (CVE-2017-12149)
github · Created 2017-12-22 07:30:29 UTC · 15 stars
CVE-2017-12149 JBOSS RCE (TESTED)
github · Created 2017-11-28 02:52:47 UTC · 206 stars
CVE-2017-12149 jboss反序列化 可回显
github · Created 2017-11-21 10:48:24 UTC · 22 stars
CVE-2017-12149 JBOSS as 6.X反序列化(反弹shell版)
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Exploit Used in Malware
-
Added to KEVIntel
-
Added to KEVIntel
-
Detected by Nuclei