CVE-2010-0738

CVE-2010-0738 is a medium-severity vulnerability in Redhat Jboss Enterprise Application Platform with a CVSS 3.x base score of 5.3. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-25). The underlying weakness is classified as CWE-749.

Key facts

Description

The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.

CVE-2010-0738: JBoss EAP JMX-Console HTTP Method Authentication Bypass

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2010-0738
CWE CWE-749: Exposed Dangerous Method or Function
CVSS v2 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS v3 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
EPSS 0.79415 (99.56th percentile)
KEV Yes — added to CISA catalog 2022-05-25
Source NVD

Summary

The JMX-Console web application in Red Hat JBoss Enterprise Application Platform (EAP) 4.2 and 4.3 enforces access control exclusively for GET and POST requests. Remote attackers can bypass this restriction by sending requests with alternative HTTP methods, gaining unauthenticated access to the JMX-Console's administrative GET handler.

Background

JBoss EAP is a Java EE-compliant application server widely deployed in enterprise environments. The JMX-Console provides a web-based interface for interacting with Java Management Extensions (JMX) MBeans, which expose runtime metrics, configuration, and management operations. By design, the JMX-Console should be protected by authentication; however, the security constraints in early JBoss EAP 4.x releases were incomplete.

Root Cause

The vulnerability maps to CWE-749: Exposed Dangerous Method or Function. The JMX-Console's deployment descriptor restricted access control to GET and POST methods only. The Java EE servlet specification allows security constraints to be defined per HTTP method; when other methods are not explicitly constrained, the servlet container does not enforce authentication for them. This design oversight permits attackers to reach the same administrative endpoints using methods such as HEAD, PUT, DELETE, or non-standard verbs, effectively bypassing the intended authentication gate.

Impact

  • CVSS v2: 5.0 (MEDIUM) — Network exploitable, low complexity, no authentication required. Partial confidentiality impact.
  • CVSS v3: 5.3 (MEDIUM) — Network vector, low attack complexity, no privileges or user interaction required. Low integrity impact; no confidentiality or availability impact per the published vectors.

Successful bypass exposes the JMX-Console management interface to unauthenticated users. Because the JMX-Console can invoke MBean operations, further attacker actions may include information disclosure, configuration changes, or application deployment, depending on the MBeans exposed.

Exploitation Walkthrough

Ethics caveat: This section is provided for defensive awareness only. Accessing systems without authorization is illegal.

The attack relies on HTTP verb tampering. In a typical scenario:

  1. An attacker identifies an exposed JMX-Console endpoint (e.g., /jmx-console/).
  2. Instead of sending a GET or POST request (which would trigger the authentication prompt), the attacker sends a request using an unconstrained HTTP method such as HEAD, PUT, DELETE, or a custom method.
  3. Because the security constraint does not cover these methods, the servlet container processes the request without requiring credentials.
  4. The attacker can then interact with the JMX-Console's GET handler and underlying MBeans, potentially chaining this bypass with other JMX-Console weaknesses for further compromise.

Defenders should note that this is not a cryptographic bypass but a configuration-level access control failure; the fix is to enforce authentication across all HTTP methods.

Affected and Patched Versions

  • Affected: Red Hat JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09
  • Affected: Red Hat JBoss Enterprise Application Platform 4.3 before 4.3.0.CP08
  • Patched: JBoss EAP 4.2.0.CP09 and later; JBoss EAP 4.3.0.CP08 and later

Remediation

  1. Upgrade: Apply the relevant cumulative patch (CP09 for 4.2, CP08 for 4.3) or upgrade to a supported JBoss EAP release.
  2. Compensating controls:
    • If upgrading is not immediately possible, restrict network access to the JMX-Console using firewall rules or reverse proxy policies so that only trusted administrative hosts can reach it.
    • Consider removing or disabling the JMX-Console in production environments if it is not required.
    • Implement Web Application Firewall (WAF) rules to block non-essential HTTP methods on administrative paths.

Detection

  • Monitor web server and application access logs for non-GET/POST requests to /jmx-console/ or similar administrative paths.
  • Alert on unusual HTTP methods (HEAD, PUT, DELETE, TRACE, OPTIONS, etc.) targeting management interfaces.
  • Correlate JMX-Console access events with authentication logs; unauthenticated requests to protected admin endpoints should trigger an incident response review.

Assessment

  • EPSS: 0.79415 (99.56th percentile) — Among the most probable vulnerabilities to be exploited in the wild.
  • KEV: Listed in CISA's Known Exploited Vulnerabilities catalog since 2022-05-25 and flagged in the EU exploited vulnerabilities database.
  • Ransomware relevance: This vulnerability has been observed in ransomware campaigns.

Key lessons:

  1. Method-level access control is fragile. Security constraints must cover all HTTP methods, or authentication must be enforced at the application layer before method dispatch.
  2. Management interfaces are high-value targets. Exposing JMX-Console or similar administrative consoles to untrusted networks dramatically increases attack surface. Network segmentation and least-privilege access remain foundational defenses.

References

Frequently asked questions

What is CVE-2010-0738?
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
How severe is CVE-2010-0738?
CVE-2010-0738 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
Is CVE-2010-0738 being actively exploited?
Yes. CVE-2010-0738 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2010-0738?
CVE-2010-0738 primarily affects Redhat Jboss Enterprise Application Platform. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2010-0738?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2010-0738 have an EU (EUVD) identifier?
Yes. CVE-2010-0738 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2010-0764. It is also flagged as exploited in the EUVD (since 2022-05-25).
When was CVE-2010-0738 published?
CVE-2010-0738 was published on 2010-04-28 and last updated on 2026-06-16.

References

Affected products (2)

More vulnerabilities in Redhat Jboss Enterprise Application Platform

All CVEs affecting Redhat Jboss Enterprise Application Platform →

Other CWE-749 vulnerabilities

Browse all CWE-749 vulnerabilities →