CVE-2010-0738
CVE-2010-0738 is a medium-severity vulnerability in Redhat Jboss Enterprise Application Platform with a CVSS 3.x base score of 5.3. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-25). The underlying weakness is classified as CWE-749.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v2: 5.0
- EPSS exploit prediction: 79% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-05-25)
- EU (EUVD) id: EUVD-2010-0764
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-05-25)
- Weakness: CWE-749
- Affected product: Redhat Jboss Enterprise Application Platform
- Published:
- Last modified:
Description
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
CVE-2010-0738: JBoss EAP JMX-Console HTTP Method Authentication Bypass
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2010-0738 |
| CWE | CWE-749: Exposed Dangerous Method or Function |
| CVSS v2 | 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) |
| CVSS v3 | 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) |
| EPSS | 0.79415 (99.56th percentile) |
| KEV | Yes — added to CISA catalog 2022-05-25 |
| Source | NVD |
Summary
The JMX-Console web application in Red Hat JBoss Enterprise Application Platform (EAP) 4.2 and 4.3 enforces access control exclusively for GET and POST requests. Remote attackers can bypass this restriction by sending requests with alternative HTTP methods, gaining unauthenticated access to the JMX-Console's administrative GET handler.
Background
JBoss EAP is a Java EE-compliant application server widely deployed in enterprise environments. The JMX-Console provides a web-based interface for interacting with Java Management Extensions (JMX) MBeans, which expose runtime metrics, configuration, and management operations. By design, the JMX-Console should be protected by authentication; however, the security constraints in early JBoss EAP 4.x releases were incomplete.
Root Cause
The vulnerability maps to CWE-749: Exposed Dangerous Method or Function. The JMX-Console's deployment descriptor restricted access control to GET and POST methods only. The Java EE servlet specification allows security constraints to be defined per HTTP method; when other methods are not explicitly constrained, the servlet container does not enforce authentication for them. This design oversight permits attackers to reach the same administrative endpoints using methods such as HEAD, PUT, DELETE, or non-standard verbs, effectively bypassing the intended authentication gate.
Impact
- CVSS v2: 5.0 (MEDIUM) — Network exploitable, low complexity, no authentication required. Partial confidentiality impact.
- CVSS v3: 5.3 (MEDIUM) — Network vector, low attack complexity, no privileges or user interaction required. Low integrity impact; no confidentiality or availability impact per the published vectors.
Successful bypass exposes the JMX-Console management interface to unauthenticated users. Because the JMX-Console can invoke MBean operations, further attacker actions may include information disclosure, configuration changes, or application deployment, depending on the MBeans exposed.
Exploitation Walkthrough
Ethics caveat: This section is provided for defensive awareness only. Accessing systems without authorization is illegal.
The attack relies on HTTP verb tampering. In a typical scenario:
- An attacker identifies an exposed JMX-Console endpoint (e.g.,
/jmx-console/). - Instead of sending a
GETorPOSTrequest (which would trigger the authentication prompt), the attacker sends a request using an unconstrained HTTP method such asHEAD,PUT,DELETE, or a custom method. - Because the security constraint does not cover these methods, the servlet container processes the request without requiring credentials.
- The attacker can then interact with the JMX-Console's GET handler and underlying MBeans, potentially chaining this bypass with other JMX-Console weaknesses for further compromise.
Defenders should note that this is not a cryptographic bypass but a configuration-level access control failure; the fix is to enforce authentication across all HTTP methods.
Affected and Patched Versions
- Affected: Red Hat JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09
- Affected: Red Hat JBoss Enterprise Application Platform 4.3 before 4.3.0.CP08
- Patched: JBoss EAP 4.2.0.CP09 and later; JBoss EAP 4.3.0.CP08 and later
Remediation
- Upgrade: Apply the relevant cumulative patch (CP09 for 4.2, CP08 for 4.3) or upgrade to a supported JBoss EAP release.
- Compensating controls:
- If upgrading is not immediately possible, restrict network access to the JMX-Console using firewall rules or reverse proxy policies so that only trusted administrative hosts can reach it.
- Consider removing or disabling the JMX-Console in production environments if it is not required.
- Implement Web Application Firewall (WAF) rules to block non-essential HTTP methods on administrative paths.
Detection
- Monitor web server and application access logs for non-
GET/POSTrequests to/jmx-console/or similar administrative paths. - Alert on unusual HTTP methods (
HEAD,PUT,DELETE,TRACE,OPTIONS, etc.) targeting management interfaces. - Correlate JMX-Console access events with authentication logs; unauthenticated requests to protected admin endpoints should trigger an incident response review.
Assessment
- EPSS: 0.79415 (99.56th percentile) — Among the most probable vulnerabilities to be exploited in the wild.
- KEV: Listed in CISA's Known Exploited Vulnerabilities catalog since 2022-05-25 and flagged in the EU exploited vulnerabilities database.
- Ransomware relevance: This vulnerability has been observed in ransomware campaigns.
Key lessons:
- Method-level access control is fragile. Security constraints must cover all HTTP methods, or authentication must be enforced at the application layer before method dispatch.
- Management interfaces are high-value targets. Exposing JMX-Console or similar administrative consoles to untrusted networks dramatically increases attack surface. Network segmentation and least-privilege access remain foundational defenses.
References
Frequently asked questions
- What is CVE-2010-0738?
- The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
- How severe is CVE-2010-0738?
- CVE-2010-0738 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2010-0738 being actively exploited?
- Yes. CVE-2010-0738 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2010-0738?
- CVE-2010-0738 primarily affects Redhat Jboss Enterprise Application Platform. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2010-0738?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2010-0738 have an EU (EUVD) identifier?
- Yes. CVE-2010-0738 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2010-0764. It is also flagged as exploited in the EUVD (since 2022-05-25).
- When was CVE-2010-0738 published?
- CVE-2010-0738 was published on 2010-04-28 and last updated on 2026-06-16.
References
- http://marc.info/?l=bugtraq&m=132129312609324&w=2
- http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=35
- http://secunia.com/advisories/39563
- http://securityreason.com/securityalert/8408
- http://securitytracker.com/id?1023918
- http://www.securityfocus.com/bid/39710
- http://www.vupen.com/english/advisories/2010/0992
- https://bugzilla.redhat.com/show_bug.cgi?id=574105
- https://exchange.xforce.ibmcloud.com/vulnerabilities/58147
- https://rhn.redhat.com/errata/RHSA-2010-0376.html
- https://rhn.redhat.com/errata/RHSA-2010-0377.html
- https://rhn.redhat.com/errata/RHSA-2010-0378.html
- https://rhn.redhat.com/errata/RHSA-2010-0379.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-0738
Affected products (2)
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:-:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:-:*:*:*:*:*:*
More vulnerabilities in Redhat Jboss Enterprise Application Platform
- CVE-2018-14721 — Critical (CVSS 10.0): FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF)…
- CVE-2019-14892 — Critical (CVSS 9.8): A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit…
- CVE-2019-17531 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is…
- CVE-2019-17267 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to…
- CVE-2019-10212 — Critical (CVSS 9.8): A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an…
- CVE-2019-16943 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is…
All CVEs affecting Redhat Jboss Enterprise Application Platform →
Other CWE-749 vulnerabilities
- CVE-2023-40151 — Critical (CVSS 10.0): When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK…
- CVE-2026-55454 — Critical (CVSS 9.9): Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy…
- CVE-2026-30957 — Critical (CVSS 9.9): OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors…
- CVE-2026-30921 — Critical (CVSS 9.9): OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors…
- CVE-2019-18342 — Critical (CVSS 9.9): A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The SFTP service (default…
- CVE-2025-59403 — Critical (CVSS 9.8): The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks…