6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
JBoss Enterprise Application Platform is vulnerable to remtoe code execution (RCE). Due to an incomplete fix for CVE-2011-1484, JBoss Seam 2 did not block access to all malicious JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework.
docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html-single/Release_Notes_5.1.1/index.html
www.redhat.com/support/errata/RHSA-2011-0945.html
www.redhat.com/support/errata/RHSA-2011-0946.html
www.redhat.com/support/errata/RHSA-2011-0947.html
www.redhat.com/support/errata/RHSA-2011-0948.html
www.redhat.com/support/errata/RHSA-2011-0949.html
www.redhat.com/support/errata/RHSA-2011-0950.html
www.redhat.com/support/errata/RHSA-2011-0951.html
www.redhat.com/support/errata/RHSA-2011-0952.html
www.securityfocus.com/bid/48716
access.redhat.com/errata/RHSA-2011:0946
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=712283