CVE-2010-1428
CVE-2010-1428 is a high-severity vulnerability in Redhat Jboss Enterprise Application Platform with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-25). The underlying weakness is classified as CWE-749.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 62% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-05-25)
- EU (EUVD) id: EUVD-2010-1456
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-05-25)
- Weakness: CWE-749
- Affected product: Redhat Jboss Enterprise Application Platform
- Published:
- Last modified:
Description
The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.
CVE-2010-1428: JBoss EAP Web Console Access Control Bypass via Non-Standard HTTP Methods
AI-generated analysis based on the vulnerability data on this page.
Summary
The Web Console (also referred to as web-console) in Red Hat JBoss Enterprise Application Platform (JBoss EAP) 4.2 and 4.3 fails to enforce access controls on HTTP methods other than GET and POST. Because the console checks authentication and authorization only for these two common methods, a remote attacker can send requests using alternative HTTP verbs — such as HEAD, PUT, DELETE, or TRACE — to reach administrative endpoints without presenting valid credentials. This weakness exposes sensitive configuration data and management interfaces to the network.
Background
JBoss EAP 4.x shipped with a browser-based Web Console intended for lightweight monitoring and administrative tasks. In production deployments, operators often relied on network segmentation or front-end proxies rather than hard console lockdown, assuming that built-in authentication was sufficient. The console’s access-control layer was implemented at the servlet-filter level, but the filter explicitly gated only GET and POST traffic. All other HTTP methods passed through unvalidated, a pattern that was common in early-2000s Java EE administration tools but is now widely recognized as an insecure default.
Root Cause
NVD classifies this flaw under CWE-749: Exposed Dangerous Method or Function. The core issue is an incomplete access-control check in the Web Console’s request-processing path. The console’s security filter interrogated the HTTP method string and applied authentication and authorization rules solely when the method equaled GET or POST. Any other method — including standard alternatives defined in RFC 7231 — was routed directly to the underlying administrative servlets. Because the console’s servlets responded meaningfully to those methods (for example, returning configuration pages on HEAD or accepting configuration changes on PUT), the missing gate effectively granted administrative access to any network-reachable client.
Impact
The vulnerability scored 5.0 under CVSS v2 (AV:N/AC:L/Au:N/C:P/I:N/A:N) and 7.5 under CVSS:3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The metrics reflect:
- Network attack vector — exploitable from any routable host.
- Low attack complexity — no special tooling or timing is required.
- No privileges or user interaction — fully unauthenticated.
- High confidentiality impact under CVSS v3 because administrative endpoints can leak deployment descriptors, data-source credentials, and runtime state.
- No integrity or availability impact in the base score, although follow-on manipulation may be possible depending on the endpoint semantics.
Exploitation Walkthrough
From a defensive-research perspective, the attack is straightforward to understand and has been observed in the wild. An attacker identifies a JBoss EAP instance with an exposed Web Console, then crafts an HTTP request using a non-standard or less-common method.
A typical reconnaissance step looks like:
- Probe the
/web-console/path (or the console alias configured by the administrator). - Observe that GET or POST returns a 401/403 when unauthenticated.
- Replay the same request with the method changed to HEAD, PUT, DELETE, TRACE, OPTIONS, or a custom verb.
- If the console responds with 200 OK and administrative HTML or JSON, the host is vulnerable.
The same technique can be extended to administrative actions if the underlying servlet accepts the method. For example, a PUT request against a configuration-management endpoint may return the current configuration or, depending on servlet implementation, alter it without authentication.
Ethics caveat: The steps above are described for defensive hardening, detection-rule development, and red-team scoping only. Do not test against systems you do not own or have explicit permission to assess.
Affected and Patched Versions
| Affected | Patched |
|---|---|
| JBoss EAP 4.2 (all releases before 4.2.0.CP09) | 4.2.0.CP09 and later |
| JBoss EAP 4.3 (all releases before 4.3.0.CP08) | 4.3.0.CP08 and later |
If you are running a release between the base version and the cumulative-patch (CP) level listed above, assume exposure unless the vendor hotfix has been explicitly applied.
Remediation
- Upgrade or patch. Apply the cumulative patches referenced in Red Hat Security Advisories RHSA-2010:0376, RHSA-2010:0377, RHSA-2010:0378, and RHSA-2010:0379. These updates modify the Web Console filter to enforce authentication across all HTTP methods.
- Compensating controls. If immediate patching is not feasible:
- Block external access to the Web Console at the network perimeter or reverse-proxy layer.
- Restrict the console listener to loopback or a management VLAN.
- Deploy a Web Application Firewall (WAF) rule that drops non-GET/POST requests to administrative paths unless they originate from a hardened bastion host.
- Disable the Web Console entirely if it is not required for operations.
Detection
Defenders can detect exploitation attempts with the following telemetry:
- Web-server logs: Look for HTTP methods other than GET or POST directed at
/web-console/*or the equivalent management context. Correlation with source IP addresses outside the administrative subnet is a high-fidelity indicator. - Intrusion-detection signatures: Snort/Suricata or WAF rules can flag unusual HTTP methods against JBoss console URIs. Example:
alert tcp any any -> any $HTTP_PORTS (msg:"JBoss Web Console non-GET/POST access attempt"; flow:to_server,established; content:"/web-console/"; http_uri; content:!("GET"); http_method; content:!("POST"); http_method; sid:1000001; rev:1;) - Endpoint detection: Monitor the JBoss process for unexpected configuration changes or spawned child processes that correlate with unusual HTTP traffic.
- Honeypot / deception: Deploy a decoy JBoss console on a segmented VLAN and alert on any non-GET/POST request; genuine administrative traffic should not reach the decoy.
Assessment
This vulnerability carries an EPSS score of 0.62308 (approximately 62 % probability of exploitation within 30 days) and sits at the 99.08th percentile of all scored CVEs, signalling that threat actors actively target it. CISA added the flaw to the Known Exploited Vulnerabilities catalog on 25 May 2022, confirming in-the-wild exploitation. The EU Vulnerability Database (EUVD-2010-1456) also flags it as actively exploited.
Two lessons stand out:
- Method-based access control must be exhaustive. Security filters should deny by default and whitelist only the methods an endpoint is explicitly designed to handle. Checking only GET and POST leaves a broad attack surface.
- Administrative interfaces should never be exposed to untrusted networks. Even when authentication is present, the combination of legacy code paths and alternative HTTP verbs can bypass assumptions. Console exposure should require VPN or jump-host access.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=585899
- https://rhn.redhat.com/errata/RHSA-2010-0376.html
- https://rhn.redhat.com/errata/RHSA-2010-0377.html
- https://rhn.redhat.com/errata/RHSA-2010-0378.html
- https://rhn.redhat.com/errata/RHSA-2010-0379.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-1428
- http://secunia.com/advisories/39563
- http://securitytracker.com/id?1023917
- http://www.securityfocus.com/bid/39710
- https://exchange.xforce.ibmcloud.com/vulnerabilities/58148
Frequently asked questions
- What is CVE-2010-1428?
- The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.
- How severe is CVE-2010-1428?
- CVE-2010-1428 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2010-1428 being actively exploited?
- Yes. CVE-2010-1428 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2010-1428?
- CVE-2010-1428 primarily affects Redhat Jboss Enterprise Application Platform. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2010-1428?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2010-1428 have an EU (EUVD) identifier?
- Yes. CVE-2010-1428 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2010-1456. It is also flagged as exploited in the EUVD (since 2022-05-25).
- When was CVE-2010-1428 published?
- CVE-2010-1428 was published on 2010-04-28 and last updated on 2026-06-16.
References
- http://marc.info/?l=bugtraq&m=132698550418872&w=2
- http://secunia.com/advisories/39563
- http://securitytracker.com/id?1023917
- http://www.securityfocus.com/bid/39710
- http://www.vupen.com/english/advisories/2010/0992
- https://bugzilla.redhat.com/show_bug.cgi?id=585899
- https://exchange.xforce.ibmcloud.com/vulnerabilities/58148
- https://rhn.redhat.com/errata/RHSA-2010-0376.html
- https://rhn.redhat.com/errata/RHSA-2010-0377.html
- https://rhn.redhat.com/errata/RHSA-2010-0378.html
- https://rhn.redhat.com/errata/RHSA-2010-0379.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-1428
Affected products (2)
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2.0:-:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:-:*:*:*:*:*:*
More vulnerabilities in Redhat Jboss Enterprise Application Platform
- CVE-2018-14721 — Critical (CVSS 10.0): FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF)…
- CVE-2019-14892 — Critical (CVSS 9.8): A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit…
- CVE-2019-17531 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is…
- CVE-2019-17267 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to…
- CVE-2019-10212 — Critical (CVSS 9.8): A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an…
- CVE-2019-16943 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is…
All CVEs affecting Redhat Jboss Enterprise Application Platform →
Other CWE-749 vulnerabilities
- CVE-2023-40151 — Critical (CVSS 10.0): When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK…
- CVE-2026-55454 — Critical (CVSS 9.9): Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy…
- CVE-2026-30957 — Critical (CVSS 9.9): OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors…
- CVE-2026-30921 — Critical (CVSS 9.9): OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors…
- CVE-2019-18342 — Critical (CVSS 9.9): A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The SFTP service (default…
- CVE-2025-59403 — Critical (CVSS 9.8): The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks…