CVE-2008-3519

Severity CVSS v4.0:
Pending analysis
Type:
CWE-16 Configuration Errors
Publication date:
23/09/2008
Last modified:
09/04/2025

Description

The default configuration of the JBossAs component in Red Hat JBoss Enterprise Application Platform (aka JBossEAP or EAP), possibly 4.2 before CP04 and 4.3 before CP02, when a production environment is enabled, sets the DownloadServerClasses property to true, which allows remote attackers to obtain sensitive information (non-EJB classes) via a download request, a different vulnerability than CVE-2008-3273.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:cp03:*:*:*:*:*:* 4.2 (including)
cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:cp01:*:*:*:*:*:* 4.3 (including)
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp01:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.2:cp02:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3:*:*:*:*:*:*:*