cve/2017/CVE-2017-12149.md

### [CVE-2017-12149](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12149)
![](https://img.shields.io/static/v1?label=Product&message=jbossas&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20n%2Fa%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-502&color=brighgreen)

### Description

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

### POC

#### Reference
- https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149

#### Github
- https://github.com/0day666/Vulnerability-verification
- https://github.com/1337g/CVE-2017-10271
- https://github.com/1337g/CVE-2017-12149
- https://github.com/1337g/CVE-2017-17215
- https://github.com/20142995/pocsuite
- https://github.com/20142995/sectool
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/AabyssZG/AWD-Guide
- https://github.com/AdeliaNitzsche/Java-Deserialization-Cheat-Sheet
- https://github.com/Awrrays/FrameVul
- https://github.com/BarrettWyman/JavaTools
- https://github.com/BrittanyKuhn/javascript-tutorial
- https://github.com/CVEDB/PoC-List
- https://github.com/CVEDB/awesome-cve-repo
- https://github.com/CVEDB/top
- https://github.com/CnHack3r/Penetration_PoC
- https://github.com/CrackerCat/myhktools
- https://github.com/DSO-Lab/pocscan
- https://github.com/EchoGin404/-
- https://github.com/EchoGin404/gongkaishouji
- https://github.com/Elsfa7-110/kenzer-templates
- https://github.com/GGyao/jbossScan
- https://github.com/GhostTroops/TOP
- https://github.com/GhostTroops/myhktools
- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
- https://github.com/HimmelAward/Goby_POC
- https://github.com/JERRY123S/all-poc
- https://github.com/Jean-Francois-C/Windows-Penetration-Testing
- https://github.com/JesseClarkND/CVE-2017-12149
- https://github.com/Mr-xn/Penetration_Testing_POC
- https://github.com/MrE-Fog/jboss-_CVE-2017-12149
- https://github.com/MrE-Fog/jbossScan
- https://github.com/NCSU-DANCE-Research-Group/CDL
- https://github.com/NetW0rK1le3r/awesome-hacking-lists
- https://github.com/Ostorlab/KEV
- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
- https://github.com/PalindromeLabs/Java-Deserialization-CVEs
- https://github.com/Sathyasri1/JavaDeserH2HC
- https://github.com/SexyBeast233/SecBooks
- https://github.com/TSY244/scan_node
- https://github.com/Threekiii/Awesome-POC
- https://github.com/Threekiii/Vulhub-Reproduce
- https://github.com/TrojanAZhen/Self_Back
- https://github.com/Tyro-Shan/gongkaishouji
- https://github.com/VVeakee/CVE-2017-12149
- https://github.com/Weik1/Artillery
- https://github.com/Xcatolin/jboss-deserialization
- https://github.com/YIXINSHUWU/Penetration_Testing_POC
- https://github.com/Z0fhack/Goby_POC
- https://github.com/ZTK-009/Penetration_PoC
- https://github.com/ZTK-009/RedTeamer
- https://github.com/Zero094/Vulnerability-verification
- https://github.com/aymankhder/Windows-Penetration-Testing
- https://github.com/bakery312/Vulhub-Reproduce
- https://github.com/bfengj/CTF
- https://github.com/chalern/Pentest-Tools
- https://github.com/cyberanand1337x/bug-bounty-2022
- https://github.com/do0dl3/myhktools
- https://github.com/dudek-marcin/Poc-Exp
- https://github.com/enomothem/PenTestNote
- https://github.com/fengjixuchui/RedTeamer
- https://github.com/fupinglee/JavaTools
- https://github.com/gallopsec/JBossScan
- https://github.com/hasee2018/Penetration_Testing_POC
- https://github.com/hktalent/TOP
- https://github.com/hktalent/bug-bounty
- https://github.com/hktalent/myhktools
- https://github.com/huike007/penetration_poc
- https://github.com/huike007/poc
- https://github.com/hungslab/awd-tools
- https://github.com/ianxtianxt/CVE-2015-7501
- https://github.com/ilmila/J2EEScan
- https://github.com/iqrok/myhktools
- https://github.com/jbmihoub/all-poc
- https://github.com/jiangsir404/POC-S
- https://github.com/jinhaozcp/weblogic
- https://github.com/joaomatosf/JavaDeserH2HC
- https://github.com/jreppiks/CVE-2017-12149
- https://github.com/jstang9527/gofor
- https://github.com/jweny/pocassistdb
- https://github.com/klausware/Java-Deserialization-Cheat-Sheet
- https://github.com/koutto/jok3r-pocs
- https://github.com/lions2012/Penetration_Testing_POC
- https://github.com/lnick2023/nicenice
- https://github.com/merlinepedra/JavaDeserH2HC
- https://github.com/merlinepedra25/JavaDeserH2HC
- https://github.com/mishmashclone/GrrrDog-Java-Deserialization-Cheat-Sheet
- https://github.com/nihaohello/N-MiddlewareScan
- https://github.com/onewinner/VulToolsKit
- https://github.com/ozkanbilge/Java-Reverse-Shell
- https://github.com/password520/Penetration_PoC
- https://github.com/password520/RedTeamer
- https://github.com/pen4uin/awesome-vulnerability-research
- https://github.com/pen4uin/vulnerability-research
- https://github.com/pen4uin/vulnerability-research-list
- https://github.com/pentration/gongkaishouji
- https://github.com/qazbnm456/awesome-cve-poc
- https://github.com/r0eXpeR/redteam_vul
- https://github.com/readloud/Awesome-Stars
- https://github.com/ronoski/j2ee-rscan
- https://github.com/sevck/CVE-2017-12149
- https://github.com/superfish9/pt
- https://github.com/superlink996/chunqiuyunjingbachang
- https://github.com/taielab/awesome-hacking-lists
- https://github.com/tdcoming/Vulnerability-engine
- https://github.com/touchmycrazyredhat/myhktools
- https://github.com/trhacknon/myhktools
- https://github.com/veo/vscan
- https://github.com/weeka10/-hktalent-TOP
- https://github.com/winterwolf32/CVE-S---Penetration_Testing_POC-
- https://github.com/x-f1v3/Vulnerability_Environment
- https://github.com/xbl2022/awesome-hacking-lists
- https://github.com/xbl3/awesome-cve-poc_qazbnm456
- https://github.com/xuetusummer/Penetration_Testing_POC
- https://github.com/yedada-wei/-
- https://github.com/yedada-wei/gongkaishouji
- https://github.com/yunxu1/jboss-_CVE-2017-12149
- https://github.com/znznzn-oss/Jboss
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`### [CVE-2017-12149](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12149)`
			`![](https://img.shields.io/static/v1?label=Product&message=jbossas&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3D%20n%2Fa%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-502&color=brighgreen)`

			`### Description`

			`In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.`

			`### POC`

			`#### Reference`
			`- https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149`

			`#### Github`
			`- https://github.com/0day666/Vulnerability-verification`
			`- https://github.com/1337g/CVE-2017-10271`
			`- https://github.com/1337g/CVE-2017-12149`
			`- https://github.com/1337g/CVE-2017-17215`
			`- https://github.com/20142995/pocsuite`
			`- https://github.com/20142995/sectool`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/ARPSyndicate/kenzer-templates`
			`- https://github.com/AabyssZG/AWD-Guide`
			`- https://github.com/AdeliaNitzsche/Java-Deserialization-Cheat-Sheet`
			`- https://github.com/Awrrays/FrameVul`
			`- https://github.com/BarrettWyman/JavaTools`
			`- https://github.com/BrittanyKuhn/javascript-tutorial`
			`- https://github.com/CVEDB/PoC-List`
			`- https://github.com/CVEDB/awesome-cve-repo`
			`- https://github.com/CVEDB/top`
			`- https://github.com/CnHack3r/Penetration_PoC`
			`- https://github.com/CrackerCat/myhktools`
			`- https://github.com/DSO-Lab/pocscan`
			`- https://github.com/EchoGin404/-`
			`- https://github.com/EchoGin404/gongkaishouji`
			`- https://github.com/Elsfa7-110/kenzer-templates`
			`- https://github.com/GGyao/jbossScan`
			`- https://github.com/GhostTroops/TOP`
			`- https://github.com/GhostTroops/myhktools`
			`- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet`
			`- https://github.com/HimmelAward/Goby_POC`
			`- https://github.com/JERRY123S/all-poc`
			`- https://github.com/Jean-Francois-C/Windows-Penetration-Testing`
			`- https://github.com/JesseClarkND/CVE-2017-12149`
			`- https://github.com/Mr-xn/Penetration_Testing_POC`
			`- https://github.com/MrE-Fog/jboss-_CVE-2017-12149`
			`- https://github.com/MrE-Fog/jbossScan`
			`- https://github.com/NCSU-DANCE-Research-Group/CDL`
			`- https://github.com/NetW0rK1le3r/awesome-hacking-lists`
			`- https://github.com/Ostorlab/KEV`
			`- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors`
			`- https://github.com/PalindromeLabs/Java-Deserialization-CVEs`
			`- https://github.com/Sathyasri1/JavaDeserH2HC`
			`- https://github.com/SexyBeast233/SecBooks`
			`- https://github.com/TSY244/scan_node`
			`- https://github.com/Threekiii/Awesome-POC`
			`- https://github.com/Threekiii/Vulhub-Reproduce`
Update CVE sources 2024-07-25 21:25 2024-07-25 21:25:12 +00:00			`- https://github.com/TrojanAZhen/Self_Back`
Update CVE sources 2024-06-07 04:52 2024-06-07 04:52:01 +00:00			`- https://github.com/Tyro-Shan/gongkaishouji`
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`- https://github.com/VVeakee/CVE-2017-12149`
			`- https://github.com/Weik1/Artillery`
			`- https://github.com/Xcatolin/jboss-deserialization`
			`- https://github.com/YIXINSHUWU/Penetration_Testing_POC`
			`- https://github.com/Z0fhack/Goby_POC`
Update Mon May 27 13:12:02 UTC 2024 2024-05-27 13:12:02 +00:00			`- https://github.com/ZTK-009/Penetration_PoC`
			`- https://github.com/ZTK-009/RedTeamer`
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`- https://github.com/Zero094/Vulnerability-verification`
			`- https://github.com/aymankhder/Windows-Penetration-Testing`
			`- https://github.com/bakery312/Vulhub-Reproduce`
			`- https://github.com/bfengj/CTF`
			`- https://github.com/chalern/Pentest-Tools`
			`- https://github.com/cyberanand1337x/bug-bounty-2022`
			`- https://github.com/do0dl3/myhktools`
			`- https://github.com/dudek-marcin/Poc-Exp`
			`- https://github.com/enomothem/PenTestNote`
			`- https://github.com/fengjixuchui/RedTeamer`
			`- https://github.com/fupinglee/JavaTools`
			`- https://github.com/gallopsec/JBossScan`
			`- https://github.com/hasee2018/Penetration_Testing_POC`
			`- https://github.com/hktalent/TOP`
			`- https://github.com/hktalent/bug-bounty`
			`- https://github.com/hktalent/myhktools`
			`- https://github.com/huike007/penetration_poc`
			`- https://github.com/huike007/poc`
Update CVE sources 2024-06-10 07:22 2024-06-10 07:22:43 +00:00			`- https://github.com/hungslab/awd-tools`
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`- https://github.com/ianxtianxt/CVE-2015-7501`
			`- https://github.com/ilmila/J2EEScan`
			`- https://github.com/iqrok/myhktools`
			`- https://github.com/jbmihoub/all-poc`
			`- https://github.com/jiangsir404/POC-S`
			`- https://github.com/jinhaozcp/weblogic`
			`- https://github.com/joaomatosf/JavaDeserH2HC`
			`- https://github.com/jreppiks/CVE-2017-12149`
			`- https://github.com/jstang9527/gofor`
			`- https://github.com/jweny/pocassistdb`
			`- https://github.com/klausware/Java-Deserialization-Cheat-Sheet`
			`- https://github.com/koutto/jok3r-pocs`
			`- https://github.com/lions2012/Penetration_Testing_POC`
			`- https://github.com/lnick2023/nicenice`
			`- https://github.com/merlinepedra/JavaDeserH2HC`
			`- https://github.com/merlinepedra25/JavaDeserH2HC`
			`- https://github.com/mishmashclone/GrrrDog-Java-Deserialization-Cheat-Sheet`
			`- https://github.com/nihaohello/N-MiddlewareScan`
Update CVE sources 2024-07-25 21:25 2024-07-25 21:25:12 +00:00			`- https://github.com/onewinner/VulToolsKit`
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`- https://github.com/ozkanbilge/Java-Reverse-Shell`
			`- https://github.com/password520/Penetration_PoC`
			`- https://github.com/password520/RedTeamer`
			`- https://github.com/pen4uin/awesome-vulnerability-research`
			`- https://github.com/pen4uin/vulnerability-research`
			`- https://github.com/pen4uin/vulnerability-research-list`
Update CVE sources 2024-08-12 19:01 2024-08-12 19:01:27 +00:00			`- https://github.com/pentration/gongkaishouji`
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`- https://github.com/qazbnm456/awesome-cve-poc`
			`- https://github.com/r0eXpeR/redteam_vul`
			`- https://github.com/readloud/Awesome-Stars`
			`- https://github.com/ronoski/j2ee-rscan`
			`- https://github.com/sevck/CVE-2017-12149`
			`- https://github.com/superfish9/pt`
			`- https://github.com/superlink996/chunqiuyunjingbachang`
			`- https://github.com/taielab/awesome-hacking-lists`
			`- https://github.com/tdcoming/Vulnerability-engine`
			`- https://github.com/touchmycrazyredhat/myhktools`
			`- https://github.com/trhacknon/myhktools`
			`- https://github.com/veo/vscan`
			`- https://github.com/weeka10/-hktalent-TOP`
			`- https://github.com/winterwolf32/CVE-S---Penetration_Testing_POC-`
			`- https://github.com/x-f1v3/Vulnerability_Environment`
			`- https://github.com/xbl2022/awesome-hacking-lists`
			`- https://github.com/xbl3/awesome-cve-poc_qazbnm456`
			`- https://github.com/xuetusummer/Penetration_Testing_POC`
			`- https://github.com/yedada-wei/-`
			`- https://github.com/yedada-wei/gongkaishouji`
			`- https://github.com/yunxu1/jboss-_CVE-2017-12149`
			`- https://github.com/znznzn-oss/Jboss`