Bug 476080 (CVE-2008-5083)

Summary: CVE-2008-5083 JON unauthorized access private property
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-27 14:05:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Marc Schoenefeld 2010-12-27 14:05:45 UTC 
This is a duplicate of RHQ-491: 

If the user knew the name of secured property such as 'principal' or 'credentials', they could get security information about the resources managed by JBoss ON.  The fix to this was to filter out any results that deal with PASSWORD types of properties.

The issue affected JON 2.1.x and was fixed with JON 2.1.2 SP1.

*** This bug has been marked as a duplicate of bug 536105 ***