Miggo Logo
Miggo Vulnerability Database
CVE-2012-1094

CVE-2012-1094:
JBoss AS may expose root content if excluded-contexts list is mismatched

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2012-1094
GHSA ID
GHSA-wq8g-hm94-5rqq
EPSS Score
0.46327%
CWE
CWE-200
Published
4/23/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jboss.as:jboss-as-servermaven>= 7.0.0.Alpha1, < 7.1.1.Final7.1.1.Final

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from mismatched hostname handling between JBoss AS 7 and mod_cluster when processing excluded contexts. The critical functions would be those responsible for: 1) Processing exclusion patterns (ModClusterSubsystem.addExcludedContext) which lacked hostname auto-prepend in vulnerable versions, and 2) Host configuration setup (ModClusterService.configureHosts) that established the mismatched default host conventions. These functions would appear in runtime profiling during context registration/request handling when excluded contexts are evaluated. The medium confidence reflects inference from vulnerability descriptions rather than direct patch analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*oss *S * prior to *.*.* *n* mo*_*lust*r *o not **n*l* ****ult *ostn*m* in t** s*m* w*y, w*i** **n **us* t** *x*lu***-*ont*xts list to ** mism*t**** *n* t** root *ont*xt to ** *xpos**.

Reasoning

T** vuln*r**ility st*ms *rom mism*t**** *ostn*m* **n*lin* **tw**n J*oss *S * *n* mo*_*lust*r w**n pro**ssin* *x*lu*** *ont*xts. T** *riti**l *un*tions woul* ** t*os* r*sponsi*l* *or: *) Pro**ssin* *x*lusion p*tt*rns (`Mo**lust*rSu*syst*m.****x*lu****