CVE-2010-1871

Impact:
Important
Public Date:
2010-07-27
Bugzilla:
615956: CVE-2010-1871 JBoss Seam / Seam2: Improper sanitization of parametrized JBoss EL expressions (ACE)

The MITRE CVE dictionary describes this issue as:

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.

Find out more about CVE-2010-1871 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 6.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server (jboss-seam2) RHSA-2010:0564 2010-07-27
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS (jboss-seam2) RHSA-2010:0564 2010-07-27

Acknowledgements

Red Hat would like to thank Meder Kydyraliev of Google Security Team for responsibly reporting this issue.

Last Modified