Bug 1084841 (CVE-2014-0169) - CVE-2014-0169 JBoss EAP: cache is shared between all applications in a security domain
Summary: CVE-2014-0169 JBoss EAP: cache is shared between all applications in a securi...
Alias: CVE-2014-0169
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1073892 1084842 1084843 1084854
TreeView+ depends on / blocked
Reported: 2014-04-07 01:27 UTC by Arun Babu Neelicattu
Modified: 2023-05-12 19:29 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-04-10 06:38:19 UTC

Attachments (Terms of Use)

Description Arun Babu Neelicattu 2014-04-07 01:27:49 UTC
When a security domain is configured to use a cache, this cache is shared between all application that are in the security domain. This could allow a user authenticated in one application to access protected resources in another despite not being authorized to do so. This is currently an intended functionality, but it was not clearly documented. Application developers could easily have assumed that a security domain cache is isolated to a single application.

Comment 4 Arun Babu Neelicattu 2014-04-07 07:02:30 UTC

This issue was discovered by Ondrej Lukas of the Red Hat JBoss EAP Quality Engineering team.

Comment 5 Arun Babu Neelicattu 2014-04-08 00:18:18 UTC

The fix for this flaw has been determined to be an addition to documentation. An admonition has been added to the relevant documentation that explain security domain usage in Red Hat JBoss Enterprise Application Platform 6. No security advisory will be published for this fix.

Note You need to log in before you can comment on or make changes to this bug.