Remote Code Execution (RCE)

2020-04-1000:59:25

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

JBoss Enterprise Application Platform is vulnerable to remtoe code execution (RCE). Due to an incomplete fix for CVE-2011-1484, JBoss Seam 2 did not block access to all malicious JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework.

CPENameOperatorVersion
hsqldbeq1.8.0.10__8.el6
jdomeq1.1.1__1.el6
jakarta-commons-discoveryeq0.4__5.4.el6
xerces-j2eq2.7.1__9.1.ep5.el5
xerces-j2eq2.7.1__12.5.el6
xerces-j2eq2.7.1__12.6.el6_0
xerces-j2eq2.7.1__12.7.el6_5
xerces-j2eq2.7.1__7jpp.2.el5_4.2
avalon-logkiteq1.2__8.2.el6
jakarta-commons-eleq1.0__18.4.el6

Name	Operator	Version
hsqldb	eq	1.8.0.10__8.el6
jdom	eq	1.1.1__1.el6
jakarta-commons-discovery	eq	0.4__5.4.el6
xerces-j2	eq	2.7.1__9.1.ep5.el5
xerces-j2	eq	2.7.1__12.5.el6
xerces-j2	eq	2.7.1__12.6.el6_0
xerces-j2	eq	2.7.1__12.7.el6_5
xerces-j2	eq	2.7.1__7jpp.2.el5_4.2
avalon-logkit	eq	1.2__8.2.el6
jakarta-commons-el	eq	1.0__18.4.el6