StatementThis flaw was originally reported as resulting in information disclosure only, and was therefore assessed as having low security impact. On this basis, it was planned that future updates to JBoss products may address this flaw. New research  has now shown that this flaw can lead to remote code execution. The security impact has been re-assessed as important, and Red Hat is now working on patches for all affected products.  http://danamodio.com/application-security/discoveries/spring-remote-code-with-expression-language-injection/
CVSS v2 metrics
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
|Red Hat JBoss Portal 5.2||RHSA-2013:0953||2013-06-18|
|Red Hat JBoss Enterprise Application Platform 5.2||RHSA-2013:0194||2013-01-24|
|Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jbossas)||RHSA-2013:0191||2013-01-24|
|Red Hat JBoss Web Platform 5.2||RHSA-2013:0198||2013-01-24|
|Red Hat JBoss SOA Platform 5.3||RHSA-2013:0533||2013-02-20|
|JBoss Enterprise BRMS Platform 5.3||RHSA-2013:0221||2013-01-31|
|Red Hat JBoss Web Platform 5 for RHEL 6 Server (jbossas-web)||RHSA-2013:0195||2013-01-24|
|Red Hat JBoss Web Platform 5 for RHEL 5 Server (jbossas-web)||RHSA-2013:0196||2013-01-24|
|Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jbossas)||RHSA-2013:0193||2013-01-24|
|Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jbossas)||RHSA-2013:0192||2013-01-24|
|Red Hat JBoss Web Platform 5 for RHEL 4 AS (jbossas-web)||RHSA-2013:0197||2013-01-24|