CVE-2013-1768

Impact:
Important
Public Date:
2013-06-12
CWE:
CWE-502
Bugzilla:
984034: CVE-2013-1768 openjpa: Remote arbitrary code execution by creating a serialized object and leveraging improperly secured server programs

The MITRE CVE dictionary describes this issue as:

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.

Find out more about CVE-2013-1768 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 7.5
Base Metrics AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Fuse ESB Enterprise 7.1.0 RHSA-2013:1862 2013-12-19
Fuse Management Console 7.1.0 RHSA-2013:1862 2013-12-19
Red Hat JBoss Fuse 6.0 RHSA-2013:1185 2013-08-29
Fuse MQ Enterprise 7.1.0 RHSA-2013:1862 2013-12-19