### [CVE-2017-12149](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12149) ![](https://img.shields.io/static/v1?label=Product&message=jbossas&color=blue) ![](https://img.shields.io/static/v1?label=Version&message=%3D%20n%2Fa%20&color=brighgreen) ![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-502&color=brighgreen) ### Description In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. ### POC #### Reference - https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149 #### Github - https://github.com/0day666/Vulnerability-verification - https://github.com/1337g/CVE-2017-10271 - https://github.com/1337g/CVE-2017-12149 - https://github.com/1337g/CVE-2017-17215 - https://github.com/20142995/pocsuite - https://github.com/20142995/sectool - https://github.com/ARPSyndicate/cvemon - https://github.com/ARPSyndicate/kenzer-templates - https://github.com/AabyssZG/AWD-Guide - https://github.com/AdeliaNitzsche/Java-Deserialization-Cheat-Sheet - https://github.com/Awrrays/FrameVul - https://github.com/BarrettWyman/JavaTools - https://github.com/BrittanyKuhn/javascript-tutorial - https://github.com/CVEDB/PoC-List - https://github.com/CVEDB/awesome-cve-repo - https://github.com/CVEDB/top - https://github.com/CnHack3r/Penetration_PoC - https://github.com/CrackerCat/myhktools - https://github.com/DSO-Lab/pocscan - https://github.com/EchoGin404/- - https://github.com/EchoGin404/gongkaishouji - https://github.com/Elsfa7-110/kenzer-templates - https://github.com/GGyao/jbossScan - https://github.com/GhostTroops/TOP - https://github.com/GhostTroops/myhktools - https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet - https://github.com/HimmelAward/Goby_POC - https://github.com/JERRY123S/all-poc - https://github.com/Jean-Francois-C/Windows-Penetration-Testing - https://github.com/JesseClarkND/CVE-2017-12149 - https://github.com/Mr-xn/Penetration_Testing_POC - https://github.com/MrE-Fog/jboss-_CVE-2017-12149 - https://github.com/MrE-Fog/jbossScan - https://github.com/NCSU-DANCE-Research-Group/CDL - https://github.com/NetW0rK1le3r/awesome-hacking-lists - https://github.com/Ostorlab/KEV - https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors - https://github.com/PalindromeLabs/Java-Deserialization-CVEs - https://github.com/Sathyasri1/JavaDeserH2HC - https://github.com/SexyBeast233/SecBooks - https://github.com/TSY244/scan_node - https://github.com/Threekiii/Awesome-POC - https://github.com/Threekiii/Vulhub-Reproduce - https://github.com/TrojanAZhen/Self_Back - https://github.com/Tyro-Shan/gongkaishouji - https://github.com/VVeakee/CVE-2017-12149 - https://github.com/Weik1/Artillery - https://github.com/Xcatolin/jboss-deserialization - https://github.com/YIXINSHUWU/Penetration_Testing_POC - https://github.com/Z0fhack/Goby_POC - https://github.com/ZTK-009/Penetration_PoC - https://github.com/ZTK-009/RedTeamer - https://github.com/Zero094/Vulnerability-verification - https://github.com/aymankhder/Windows-Penetration-Testing - https://github.com/bakery312/Vulhub-Reproduce - https://github.com/bfengj/CTF - https://github.com/chalern/Pentest-Tools - https://github.com/cyberanand1337x/bug-bounty-2022 - https://github.com/do0dl3/myhktools - https://github.com/dudek-marcin/Poc-Exp - https://github.com/enomothem/PenTestNote - https://github.com/fengjixuchui/RedTeamer - https://github.com/fupinglee/JavaTools - https://github.com/gallopsec/JBossScan - https://github.com/hasee2018/Penetration_Testing_POC - https://github.com/hktalent/TOP - https://github.com/hktalent/bug-bounty - https://github.com/hktalent/myhktools - https://github.com/huike007/penetration_poc - https://github.com/huike007/poc - https://github.com/hungslab/awd-tools - https://github.com/ianxtianxt/CVE-2015-7501 - https://github.com/ilmila/J2EEScan - https://github.com/iqrok/myhktools - https://github.com/jbmihoub/all-poc - https://github.com/jiangsir404/POC-S - https://github.com/jinhaozcp/weblogic - https://github.com/joaomatosf/JavaDeserH2HC - https://github.com/jreppiks/CVE-2017-12149 - https://github.com/jstang9527/gofor - https://github.com/jweny/pocassistdb - https://github.com/klausware/Java-Deserialization-Cheat-Sheet - https://github.com/koutto/jok3r-pocs - https://github.com/lions2012/Penetration_Testing_POC - https://github.com/lnick2023/nicenice - https://github.com/merlinepedra/JavaDeserH2HC - https://github.com/merlinepedra25/JavaDeserH2HC - https://github.com/mishmashclone/GrrrDog-Java-Deserialization-Cheat-Sheet - https://github.com/nihaohello/N-MiddlewareScan - https://github.com/onewinner/VulToolsKit - https://github.com/ozkanbilge/Java-Reverse-Shell - https://github.com/password520/Penetration_PoC - https://github.com/password520/RedTeamer - https://github.com/pen4uin/awesome-vulnerability-research - https://github.com/pen4uin/vulnerability-research - https://github.com/pen4uin/vulnerability-research-list - https://github.com/qazbnm456/awesome-cve-poc - https://github.com/r0eXpeR/redteam_vul - https://github.com/readloud/Awesome-Stars - https://github.com/ronoski/j2ee-rscan - https://github.com/sevck/CVE-2017-12149 - https://github.com/superfish9/pt - https://github.com/superlink996/chunqiuyunjingbachang - https://github.com/taielab/awesome-hacking-lists - https://github.com/tdcoming/Vulnerability-engine - https://github.com/touchmycrazyredhat/myhktools - https://github.com/trhacknon/myhktools - https://github.com/veo/vscan - https://github.com/weeka10/-hktalent-TOP - https://github.com/winterwolf32/CVE-S---Penetration_Testing_POC- - https://github.com/x-f1v3/Vulnerability_Environment - https://github.com/xbl2022/awesome-hacking-lists - https://github.com/xbl3/awesome-cve-poc_qazbnm456 - https://github.com/xuetusummer/Penetration_Testing_POC - https://github.com/yedada-wei/- - https://github.com/yedada-wei/gongkaishouji - https://github.com/yunxu1/jboss-_CVE-2017-12149 - https://github.com/znznzn-oss/Jboss