cvelistv5 - cve-2013-6448

cve-2013-6448

Vulnerability from cvelistv5

Published

2014-01-23 00:00

Modified

2024-08-06 17:39

Severity ?

Summary

The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors.

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2014-0045.html	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/56572	Vendor Advisory
secalert@redhat.com	http://www.securitytracker.com/id/1029652
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=1044794	Patch, Vendor Advisory
secalert@redhat.com	https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2014-0045.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/56572	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1029652
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1044794	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T17:39:01.443Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1029652",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1029652"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
          },
          {
            "name": "56572",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/56572"
          },
          {
            "name": "RHSA-2014:0045",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2014-01-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2014-01-22T23:57:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "1029652",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1029652"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
        },
        {
          "name": "56572",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/56572"
        },
        {
          "name": "RHSA-2014:0045",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2014-0045.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2013-6448",
    "datePublished": "2014-01-23T00:00:00",
    "dateReserved": "2013-11-04T00:00:00",
    "dateUpdated": "2024-08-06T17:39:01.443Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.3.1\", \"matchCriteriaId\": \"D364080C-85B8-46A0-B5C7-1590DAF98320\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"4664C66E-3F4B-471E-AAC9-276834A55499\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"43CACD28-B9A3-46D5-BA99-AA578F51D693\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr2:*:*:*:*:*:*\", \"matchCriteriaId\": \"1A4951C4-8941-4A7F-B742-B50A812CC4B5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr3:*:*:*:*:*:*\", \"matchCriteriaId\": \"1A83D0E2-C724-47D1-9A98-7ACADA8810DA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:ga:*:*:*:*:*:*\", \"matchCriteriaId\": \"56B7E191-8A62-4BDE-90A4-192BA5696A39\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"4A027797-81BC-4826-BBCC-C5EAEAB3E503\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr2:*:*:*:*:*:*\", \"matchCriteriaId\": \"67F9B8C2-D2BE-4B4A-829C-528EC716C3FF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:ga:*:*:*:*:*:*\", \"matchCriteriaId\": \"D38126DF-747B-4892-9B63-E7E35F98C760\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"ECD78557-9403-496D-8512-FA693E291164\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr2:*:*:*:*:*:*\", \"matchCriteriaId\": \"CB076878-0465-44C7-AE59-C9584B3CEE1F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:ga:*:*:*:*:*:*\", \"matchCriteriaId\": \"F682D85A-5B8C-4F83-BABD-9D28775C3776\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:sp1:*:*:*:*:*:*\", \"matchCriteriaId\": \"43DA16B0-8E35-444D-B0BC-6774BBEC9E49\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.3:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"D249483C-D9F2-474F-9DDD-775CA573A642\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:alpha1:*:*:*:*:*:*\", \"matchCriteriaId\": \"C5BD9104-7BE9-420F-8DB2-C07748941254\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"A6513765-FEB9-4D7E-AE29-E479707AED02\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"42291710-D8D1-4C77-8A62-E0B80BA3D5AB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:ga:*:*:*:*:*:*\", \"matchCriteriaId\": \"0BBFD756-FF7B-4163-9924-CC922A7EA1AF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:sp1:*:*:*:*:*:*\", \"matchCriteriaId\": \"226579DC-5DFE-4778-9871-4137B556D3A3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"CB03E6D7-1A07-49EB-AB21-E136132BDF1E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr2:*:*:*:*:*:*\", \"matchCriteriaId\": \"68FE6392-8774-4534-8903-BE9154FE2795\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:ga:*:*:*:*:*:*\", \"matchCriteriaId\": \"9F98F783-0AB2-41BE-8B07-D62438824541\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7A206D39-DBF9-4B14-8703-9081682A1EEE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"32B2FE67-27F7-4BF7-A78A-0A5FAAADFE20\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr2:*:*:*:*:*:*\", \"matchCriteriaId\": \"1371416C-30C8-47A6-8A0C-F4E37875BE8F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"CA790538-865A-4249-B6F9-F0CEC5818E57\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:ga:*:*:*:*:*:*\", \"matchCriteriaId\": \"62AB605C-3102-4425-A563-817445B2F187\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0E6F5051-BF57-44EA-942F-9E74A06D8B45\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"0FD6DFE0-4FC8-4311-A724-666AA48A64C5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr2:*:*:*:*:*:*\", \"matchCriteriaId\": \"EB833625-4D55-4BFE-A05C-5650D342C461\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr3:*:*:*:*:*:*\", \"matchCriteriaId\": \"CB5F7791-FC8F-4E6C-B14D-A31D69086895\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A42F5033-9365-44D7-8B42-A6367456ED8F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"04C1DC31-7337-4C24-9DA0-A79D0D442D5A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:alpha:*:*:*:*:*:*\", \"matchCriteriaId\": \"7376B2C4-542E-42CE-9970-749B78A30571\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"73C2733D-BA18-4E56-9E08-9F334C7DAAF5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta2:*:*:*:*:*:*\", \"matchCriteriaId\": \"AFFFDD3E-CBEC-461B-80D8-45EBD04CAE09\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"A5608CA4-7E53-471E-BCD3-F8EA13839557\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.1:cr1:*:*:*:*:*:*\", \"matchCriteriaId\": \"24546C35-AAEF-40DE-889A-8AA50D25968C\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors.\"}, {\"lang\": \"es\", \"value\": \"El manejador InterfaceGenerator en JBoss Seam Remoting en JBoss Seam 2 framework 2.3.1 y anteriores versiones, tal como se usa en JBoss Web Framework Kit, permite a atacantes remotos evadir la restricci\\u00f3n de anotaci\\u00f3n de WebRemote y obtener informaci\\u00f3n sobre clases y m\\u00e9todos arbitrarios en el servidor classpath a trav\\u00e9s de vectores no especificados.\"}]",
      "id": "CVE-2013-6448",
      "lastModified": "2024-11-21T01:59:15.117",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2014-01-23T00:55:03.380",
      "references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0045.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/56572\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securitytracker.com/id/1029652\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1044794\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0045.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/56572\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securitytracker.com/id/1029652\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1044794\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2013-6448\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-01-23T00:55:03.380\",\"lastModified\":\"2024-11-21T01:59:15.117\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors.\"},{\"lang\":\"es\",\"value\":\"El manejador InterfaceGenerator en JBoss Seam Remoting en JBoss Seam 2 framework 2.3.1 y anteriores versiones, tal como se usa en JBoss Web Framework Kit, permite a atacantes remotos evadir la restricci\u00f3n de anotaci\u00f3n de WebRemote y obtener informaci\u00f3n sobre clases y m\u00e9todos arbitrarios en el servidor classpath a trav\u00e9s de vectores no especificados.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.3.1\",\"matchCriteriaId\":\"D364080C-85B8-46A0-B5C7-1590DAF98320\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4664C66E-3F4B-471E-AAC9-276834A55499\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"43CACD28-B9A3-46D5-BA99-AA578F51D693\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr2:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A4951C4-8941-4A7F-B742-B50A812CC4B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr3:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A83D0E2-C724-47D1-9A98-7ACADA8810DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:ga:*:*:*:*:*:*\",\"matchCriteriaId\":\"56B7E191-8A62-4BDE-90A4-192BA5696A39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A027797-81BC-4826-BBCC-C5EAEAB3E503\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr2:*:*:*:*:*:*\",\"matchCriteriaId\":\"67F9B8C2-D2BE-4B4A-829C-528EC716C3FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:ga:*:*:*:*:*:*\",\"matchCriteriaId\":\"D38126DF-747B-4892-9B63-E7E35F98C760\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"ECD78557-9403-496D-8512-FA693E291164\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr2:*:*:*:*:*:*\",\"matchCriteriaId\":\"CB076878-0465-44C7-AE59-C9584B3CEE1F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:ga:*:*:*:*:*:*\",\"matchCriteriaId\":\"F682D85A-5B8C-4F83-BABD-9D28775C3776\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"43DA16B0-8E35-444D-B0BC-6774BBEC9E49\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.3:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D249483C-D9F2-474F-9DDD-775CA573A642\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5BD9104-7BE9-420F-8DB2-C07748941254\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A6513765-FEB9-4D7E-AE29-E479707AED02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"42291710-D8D1-4C77-8A62-E0B80BA3D5AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:ga:*:*:*:*:*:*\",\"matchCriteriaId\":\"0BBFD756-FF7B-4163-9924-CC922A7EA1AF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"226579DC-5DFE-4778-9871-4137B556D3A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CB03E6D7-1A07-49EB-AB21-E136132BDF1E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr2:*:*:*:*:*:*\",\"matchCriteriaId\":\"68FE6392-8774-4534-8903-BE9154FE2795\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:ga:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F98F783-0AB2-41BE-8B07-D62438824541\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A206D39-DBF9-4B14-8703-9081682A1EEE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"32B2FE67-27F7-4BF7-A78A-0A5FAAADFE20\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr2:*:*:*:*:*:*\",\"matchCriteriaId\":\"1371416C-30C8-47A6-8A0C-F4E37875BE8F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CA790538-865A-4249-B6F9-F0CEC5818E57\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:ga:*:*:*:*:*:*\",\"matchCriteriaId\":\"62AB605C-3102-4425-A563-817445B2F187\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0E6F5051-BF57-44EA-942F-9E74A06D8B45\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0FD6DFE0-4FC8-4311-A724-666AA48A64C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB833625-4D55-4BFE-A05C-5650D342C461\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr3:*:*:*:*:*:*\",\"matchCriteriaId\":\"CB5F7791-FC8F-4E6C-B14D-A31D69086895\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A42F5033-9365-44D7-8B42-A6367456ED8F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"04C1DC31-7337-4C24-9DA0-A79D0D442D5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:alpha:*:*:*:*:*:*\",\"matchCriteriaId\":\"7376B2C4-542E-42CE-9970-749B78A30571\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"73C2733D-BA18-4E56-9E08-9F334C7DAAF5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"AFFFDD3E-CBEC-461B-80D8-45EBD04CAE09\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A5608CA4-7E53-471E-BCD3-F8EA13839557\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.1:cr1:*:*:*:*:*:*\",\"matchCriteriaId\":\"24546C35-AAEF-40DE-889A-8AA50D25968C\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0045.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/56572\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securitytracker.com/id/1029652\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1044794\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/56572\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securitytracker.com/id/1029652\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1044794\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

rhsa-2014:0045

Vulnerability from csaf_redhat

Published

2014-01-20 17:30

Modified

2024-11-22 07:25

Summary

Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.4.0 update

Notes

Topic

An update for the seam-remoting component of Red Hat JBoss Web Framework Kit 2.4.0 that fixes two security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details

Red Hat JBoss Web Framework Kit combines popular open source web frameworks into a single solution for Java applications. The JBoss Seam Remoting component provides a convenient method of remotely accessing Seam components from a web page, using AJAX (Asynchronous Javascript and XML). It was found that the ExecutionHandler, PollHandler, and SubscriptionHandler classes in JBoss Seam Remoting unmarshalled user-supplied XML and resolved external entities in this XML. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XML External Entity (XXE) attacks. (CVE-2013-6447) It was found that the InterfaceGenerator handler in JBoss Seam Remoting exposed details of all classes and methods on the server's classpath, not only methods with the org.jboss.seam.annotations.remoting.WebRemote annotation. A remote attacker could use this flaw to determine which classes are deployed on the JBoss server. (CVE-2013-6448) Red Hat would like to thank Jon Passki of Coverity SRL for reporting these issues. All users of Red Hat JBoss Web Framework Kit 2.4.0 as provided from the Red Hat Customer Portal are advised to apply this update.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for the seam-remoting component of Red Hat JBoss Web Framework\nKit 2.4.0 that fixes two security issues is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Web Framework Kit combines popular open source web frameworks\ninto a single solution for Java applications. The JBoss Seam Remoting\ncomponent provides a convenient method of remotely accessing Seam\ncomponents from a web page, using AJAX (Asynchronous Javascript and XML).\n\nIt was found that the ExecutionHandler, PollHandler, and\nSubscriptionHandler classes in JBoss Seam Remoting unmarshalled\nuser-supplied XML and resolved external entities in this XML. A remote\nattacker could use this flaw to read files accessible to the user running\nthe application server, and potentially perform other more advanced XML\nExternal Entity (XXE) attacks. (CVE-2013-6447)\n\nIt was found that the InterfaceGenerator handler in JBoss Seam Remoting\nexposed details of all classes and methods on the server\u0027s classpath, not\nonly methods with the org.jboss.seam.annotations.remoting.WebRemote\nannotation. A remote attacker could use this flaw to determine which\nclasses are deployed on the JBoss server. (CVE-2013-6448)\n\nRed Hat would like to thank Jon Passki of Coverity SRL for reporting these\nissues.\n\nAll users of Red Hat JBoss Web Framework Kit 2.4.0 as provided from the Red\nHat Customer Portal are advised to apply this update.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0045",
        "url": "https://access.redhat.com/errata/RHSA-2014:0045"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=securityPatches\u0026version=2.4.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=securityPatches\u0026version=2.4.0"
      },
      {
        "category": "external",
        "summary": "1044784",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"
      },
      {
        "category": "external",
        "summary": "1044794",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0045.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.4.0 update",
    "tracking": {
      "current_release_date": "2024-11-22T07:25:26+00:00",
      "generator": {
        "date": "2024-11-22T07:25:26+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2014:0045",
      "initial_release_date": "2014-01-20T17:30:41+00:00",
      "revision_history": [
        {
          "date": "2014-01-20T17:30:41+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-01-16T09:52:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T07:25:26+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Framework Kit 2.4",
                "product": {
                  "name": "Red Hat JBoss Web Framework Kit 2.4",
                  "product_id": "Red Hat JBoss Web Framework Kit 2.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.4.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Web Framework Kit"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Jon Passki"
          ],
          "organization": "Coverity SRL"
        }
      ],
      "cve": "CVE-2013-6447",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2013-12-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1044784"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allow remote attackers to read arbitrary files and possibly have other impacts via a crafted XML file.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Seam: XML eXternal Entity (XXE) flaw in remoting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects Seam 3 remoting, but Seam 3 is not shipped with any Red Hat products, and Seam 3 development has been terminated. This issue is not currently planned to be addressed in a future update to Seam 3.\n\nRed Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Web Framework Kit 2.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-6447"
        },
        {
          "category": "external",
          "summary": "RHBZ#1044784",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-6447",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-6447"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6447",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6447"
        }
      ],
      "release_date": "2014-01-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-01-20T17:30:41+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Web Framework Kit.\n\nThe JBoss server process must be restarted for this update to take effect.",
          "product_ids": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0045"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Seam: XML eXternal Entity (XXE) flaw in remoting"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Jon Passki"
          ],
          "organization": "Coverity SRL"
        }
      ],
      "cve": "CVE-2013-6448",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2013-12-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1044794"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Seam: Information disclosure in remoting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Web Framework Kit 2.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-6448"
        },
        {
          "category": "external",
          "summary": "RHBZ#1044794",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-6448",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-6448"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6448",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6448"
        }
      ],
      "release_date": "2014-01-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-01-20T17:30:41+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Web Framework Kit.\n\nThe JBoss server process must be restarted for this update to take effect.",
          "product_ids": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0045"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Seam: Information disclosure in remoting"
    }
  ]
}

RHSA-2014:0045

Vulnerability from csaf_redhat

Published

2014-01-20 17:30

Modified

2024-11-22 07:25

Summary

Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.4.0 update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for the seam-remoting component of Red Hat JBoss Web Framework\nKit 2.4.0 that fixes two security issues is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Web Framework Kit combines popular open source web frameworks\ninto a single solution for Java applications. The JBoss Seam Remoting\ncomponent provides a convenient method of remotely accessing Seam\ncomponents from a web page, using AJAX (Asynchronous Javascript and XML).\n\nIt was found that the ExecutionHandler, PollHandler, and\nSubscriptionHandler classes in JBoss Seam Remoting unmarshalled\nuser-supplied XML and resolved external entities in this XML. A remote\nattacker could use this flaw to read files accessible to the user running\nthe application server, and potentially perform other more advanced XML\nExternal Entity (XXE) attacks. (CVE-2013-6447)\n\nIt was found that the InterfaceGenerator handler in JBoss Seam Remoting\nexposed details of all classes and methods on the server\u0027s classpath, not\nonly methods with the org.jboss.seam.annotations.remoting.WebRemote\nannotation. A remote attacker could use this flaw to determine which\nclasses are deployed on the JBoss server. (CVE-2013-6448)\n\nRed Hat would like to thank Jon Passki of Coverity SRL for reporting these\nissues.\n\nAll users of Red Hat JBoss Web Framework Kit 2.4.0 as provided from the Red\nHat Customer Portal are advised to apply this update.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0045",
        "url": "https://access.redhat.com/errata/RHSA-2014:0045"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=securityPatches\u0026version=2.4.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=securityPatches\u0026version=2.4.0"
      },
      {
        "category": "external",
        "summary": "1044784",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"
      },
      {
        "category": "external",
        "summary": "1044794",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0045.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.4.0 update",
    "tracking": {
      "current_release_date": "2024-11-22T07:25:26+00:00",
      "generator": {
        "date": "2024-11-22T07:25:26+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2014:0045",
      "initial_release_date": "2014-01-20T17:30:41+00:00",
      "revision_history": [
        {
          "date": "2014-01-20T17:30:41+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-01-16T09:52:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T07:25:26+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Framework Kit 2.4",
                "product": {
                  "name": "Red Hat JBoss Web Framework Kit 2.4",
                  "product_id": "Red Hat JBoss Web Framework Kit 2.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.4.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Web Framework Kit"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Jon Passki"
          ],
          "organization": "Coverity SRL"
        }
      ],
      "cve": "CVE-2013-6447",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2013-12-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1044784"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allow remote attackers to read arbitrary files and possibly have other impacts via a crafted XML file.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Seam: XML eXternal Entity (XXE) flaw in remoting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects Seam 3 remoting, but Seam 3 is not shipped with any Red Hat products, and Seam 3 development has been terminated. This issue is not currently planned to be addressed in a future update to Seam 3.\n\nRed Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Web Framework Kit 2.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-6447"
        },
        {
          "category": "external",
          "summary": "RHBZ#1044784",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-6447",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-6447"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6447",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6447"
        }
      ],
      "release_date": "2014-01-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-01-20T17:30:41+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Web Framework Kit.\n\nThe JBoss server process must be restarted for this update to take effect.",
          "product_ids": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0045"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Seam: XML eXternal Entity (XXE) flaw in remoting"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Jon Passki"
          ],
          "organization": "Coverity SRL"
        }
      ],
      "cve": "CVE-2013-6448",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2013-12-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1044794"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Seam: Information disclosure in remoting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Web Framework Kit 2.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-6448"
        },
        {
          "category": "external",
          "summary": "RHBZ#1044794",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-6448",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-6448"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6448",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6448"
        }
      ],
      "release_date": "2014-01-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-01-20T17:30:41+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Web Framework Kit.\n\nThe JBoss server process must be restarted for this update to take effect.",
          "product_ids": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0045"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Seam: Information disclosure in remoting"
    }
  ]
}

rhsa-2014_0045

Vulnerability from csaf_redhat

Published

2014-01-20 17:30

Modified

2024-11-22 07:25

Summary

Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.4.0 update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for the seam-remoting component of Red Hat JBoss Web Framework\nKit 2.4.0 that fixes two security issues is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Web Framework Kit combines popular open source web frameworks\ninto a single solution for Java applications. The JBoss Seam Remoting\ncomponent provides a convenient method of remotely accessing Seam\ncomponents from a web page, using AJAX (Asynchronous Javascript and XML).\n\nIt was found that the ExecutionHandler, PollHandler, and\nSubscriptionHandler classes in JBoss Seam Remoting unmarshalled\nuser-supplied XML and resolved external entities in this XML. A remote\nattacker could use this flaw to read files accessible to the user running\nthe application server, and potentially perform other more advanced XML\nExternal Entity (XXE) attacks. (CVE-2013-6447)\n\nIt was found that the InterfaceGenerator handler in JBoss Seam Remoting\nexposed details of all classes and methods on the server\u0027s classpath, not\nonly methods with the org.jboss.seam.annotations.remoting.WebRemote\nannotation. A remote attacker could use this flaw to determine which\nclasses are deployed on the JBoss server. (CVE-2013-6448)\n\nRed Hat would like to thank Jon Passki of Coverity SRL for reporting these\nissues.\n\nAll users of Red Hat JBoss Web Framework Kit 2.4.0 as provided from the Red\nHat Customer Portal are advised to apply this update.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0045",
        "url": "https://access.redhat.com/errata/RHSA-2014:0045"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=securityPatches\u0026version=2.4.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit\u0026downloadType=securityPatches\u0026version=2.4.0"
      },
      {
        "category": "external",
        "summary": "1044784",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"
      },
      {
        "category": "external",
        "summary": "1044794",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0045.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.4.0 update",
    "tracking": {
      "current_release_date": "2024-11-22T07:25:26+00:00",
      "generator": {
        "date": "2024-11-22T07:25:26+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2014:0045",
      "initial_release_date": "2014-01-20T17:30:41+00:00",
      "revision_history": [
        {
          "date": "2014-01-20T17:30:41+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-01-16T09:52:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T07:25:26+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Framework Kit 2.4",
                "product": {
                  "name": "Red Hat JBoss Web Framework Kit 2.4",
                  "product_id": "Red Hat JBoss Web Framework Kit 2.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.4.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Web Framework Kit"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Jon Passki"
          ],
          "organization": "Coverity SRL"
        }
      ],
      "cve": "CVE-2013-6447",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2013-12-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1044784"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allow remote attackers to read arbitrary files and possibly have other impacts via a crafted XML file.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Seam: XML eXternal Entity (XXE) flaw in remoting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects Seam 3 remoting, but Seam 3 is not shipped with any Red Hat products, and Seam 3 development has been terminated. This issue is not currently planned to be addressed in a future update to Seam 3.\n\nRed Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Web Framework Kit 2.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-6447"
        },
        {
          "category": "external",
          "summary": "RHBZ#1044784",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-6447",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-6447"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6447",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6447"
        }
      ],
      "release_date": "2014-01-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-01-20T17:30:41+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Web Framework Kit.\n\nThe JBoss server process must be restarted for this update to take effect.",
          "product_ids": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0045"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Seam: XML eXternal Entity (XXE) flaw in remoting"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Jon Passki"
          ],
          "organization": "Coverity SRL"
        }
      ],
      "cve": "CVE-2013-6448",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2013-12-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1044794"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Seam: Information disclosure in remoting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Web Framework Kit 2.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-6448"
        },
        {
          "category": "external",
          "summary": "RHBZ#1044794",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-6448",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-6448"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6448",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6448"
        }
      ],
      "release_date": "2014-01-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-01-20T17:30:41+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Web Framework Kit.\n\nThe JBoss server process must be restarted for this update to take effect.",
          "product_ids": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0045"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Seam: Information disclosure in remoting"
    }
  ]
}

gsd-2013-6448

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2013-6448

Aliases

CVE-2013-6448

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2013-6448",
    "description": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors.",
    "id": "GSD-2013-6448"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2013-6448"
      ],
      "details": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors.",
      "id": "GSD-2013-6448",
      "modified": "2023-12-13T01:22:19.804005Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2013-6448",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2014-0045.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0045.html"
          },
          {
            "name": "http://secunia.com/advisories/56572",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/56572"
          },
          {
            "name": "http://www.securitytracker.com/id/1029652",
            "refsource": "MISC",
            "url": "http://www.securitytracker.com/id/1029652"
          },
          {
            "name": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5",
            "refsource": "MISC",
            "url": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.1:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.3.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:ga:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:sp1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.3:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:alpha1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:ga:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:ga:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:ga:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:ga:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:ga:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:alpha:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:sp1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:cr1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2013-6448"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-264"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1029652",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id/1029652"
            },
            {
              "name": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5"
            },
            {
              "name": "RHSA-2014:0045",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0045.html"
            },
            {
              "name": "56572",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/56572"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2014-01-23T18:17Z",
      "publishedDate": "2014-01-23T00:55Z"
    }
  }
}

fkie_cve-2013-6448

Vulnerability from fkie_nvd

Published

2014-01-23 00:55

Modified

2024-11-21 01:59

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2014-0045.html	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/56572	Vendor Advisory
secalert@redhat.com	http://www.securitytracker.com/id/1029652
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=1044794	Patch, Vendor Advisory
secalert@redhat.com	https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2014-0045.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/56572	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1029652
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1044794	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5

Impacted products

Vendor	Product	Version
redhat	jboss_seam_2_framework	*
redhat	jboss_seam_2_framework	2.0.0
redhat	jboss_seam_2_framework	2.0.0
redhat	jboss_seam_2_framework	2.0.0
redhat	jboss_seam_2_framework	2.0.0
redhat	jboss_seam_2_framework	2.0.0
redhat	jboss_seam_2_framework	2.0.1
redhat	jboss_seam_2_framework	2.0.1
redhat	jboss_seam_2_framework	2.0.1
redhat	jboss_seam_2_framework	2.0.2
redhat	jboss_seam_2_framework	2.0.2
redhat	jboss_seam_2_framework	2.0.2
redhat	jboss_seam_2_framework	2.0.2
redhat	jboss_seam_2_framework	2.0.3
redhat	jboss_seam_2_framework	2.1.0
redhat	jboss_seam_2_framework	2.1.0
redhat	jboss_seam_2_framework	2.1.0
redhat	jboss_seam_2_framework	2.1.0
redhat	jboss_seam_2_framework	2.1.0
redhat	jboss_seam_2_framework	2.1.1
redhat	jboss_seam_2_framework	2.1.1
redhat	jboss_seam_2_framework	2.1.1
redhat	jboss_seam_2_framework	2.1.2
redhat	jboss_seam_2_framework	2.1.2
redhat	jboss_seam_2_framework	2.1.2
redhat	jboss_seam_2_framework	2.2.0
redhat	jboss_seam_2_framework	2.2.0
redhat	jboss_seam_2_framework	2.2.1
redhat	jboss_seam_2_framework	2.2.1
redhat	jboss_seam_2_framework	2.2.1
redhat	jboss_seam_2_framework	2.2.1
redhat	jboss_seam_2_framework	2.2.2
redhat	jboss_seam_2_framework	2.3.0
redhat	jboss_seam_2_framework	2.3.0
redhat	jboss_seam_2_framework	2.3.0
redhat	jboss_seam_2_framework	2.3.0
redhat	jboss_seam_2_framework	2.3.0
redhat	jboss_seam_2_framework	2.3.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D364080C-85B8-46A0-B5C7-1590DAF98320",
              "versionEndIncluding": "2.3.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "4664C66E-3F4B-471E-AAC9-276834A55499",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "43CACD28-B9A3-46D5-BA99-AA578F51D693",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "1A4951C4-8941-4A7F-B742-B50A812CC4B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr3:*:*:*:*:*:*",
              "matchCriteriaId": "1A83D0E2-C724-47D1-9A98-7ACADA8810DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:ga:*:*:*:*:*:*",
              "matchCriteriaId": "56B7E191-8A62-4BDE-90A4-192BA5696A39",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "4A027797-81BC-4826-BBCC-C5EAEAB3E503",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "67F9B8C2-D2BE-4B4A-829C-528EC716C3FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:ga:*:*:*:*:*:*",
              "matchCriteriaId": "D38126DF-747B-4892-9B63-E7E35F98C760",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "ECD78557-9403-496D-8512-FA693E291164",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "CB076878-0465-44C7-AE59-C9584B3CEE1F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:ga:*:*:*:*:*:*",
              "matchCriteriaId": "F682D85A-5B8C-4F83-BABD-9D28775C3776",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "43DA16B0-8E35-444D-B0BC-6774BBEC9E49",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.3:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "D249483C-D9F2-474F-9DDD-775CA573A642",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "C5BD9104-7BE9-420F-8DB2-C07748941254",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "A6513765-FEB9-4D7E-AE29-E479707AED02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "42291710-D8D1-4C77-8A62-E0B80BA3D5AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:ga:*:*:*:*:*:*",
              "matchCriteriaId": "0BBFD756-FF7B-4163-9924-CC922A7EA1AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "226579DC-5DFE-4778-9871-4137B556D3A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "CB03E6D7-1A07-49EB-AB21-E136132BDF1E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "68FE6392-8774-4534-8903-BE9154FE2795",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:ga:*:*:*:*:*:*",
              "matchCriteriaId": "9F98F783-0AB2-41BE-8B07-D62438824541",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7A206D39-DBF9-4B14-8703-9081682A1EEE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "32B2FE67-27F7-4BF7-A78A-0A5FAAADFE20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "1371416C-30C8-47A6-8A0C-F4E37875BE8F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "CA790538-865A-4249-B6F9-F0CEC5818E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:ga:*:*:*:*:*:*",
              "matchCriteriaId": "62AB605C-3102-4425-A563-817445B2F187",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0E6F5051-BF57-44EA-942F-9E74A06D8B45",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "0FD6DFE0-4FC8-4311-A724-666AA48A64C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "EB833625-4D55-4BFE-A05C-5650D342C461",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr3:*:*:*:*:*:*",
              "matchCriteriaId": "CB5F7791-FC8F-4E6C-B14D-A31D69086895",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "A42F5033-9365-44D7-8B42-A6367456ED8F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "04C1DC31-7337-4C24-9DA0-A79D0D442D5A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:alpha:*:*:*:*:*:*",
              "matchCriteriaId": "7376B2C4-542E-42CE-9970-749B78A30571",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "73C2733D-BA18-4E56-9E08-9F334C7DAAF5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "AFFFDD3E-CBEC-461B-80D8-45EBD04CAE09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "A5608CA4-7E53-471E-BCD3-F8EA13839557",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.1:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "24546C35-AAEF-40DE-889A-8AA50D25968C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors."
    },
    {
      "lang": "es",
      "value": "El manejador InterfaceGenerator en JBoss Seam Remoting en JBoss Seam 2 framework 2.3.1 y anteriores versiones, tal como se usa en JBoss Web Framework Kit, permite a atacantes remotos evadir la restricci\u00f3n de anotaci\u00f3n de WebRemote y obtener informaci\u00f3n sobre clases y m\u00e9todos arbitrarios en el servidor classpath a trav\u00e9s de vectores no especificados."
    }
  ],
  "id": "CVE-2013-6448",
  "lastModified": "2024-11-21T01:59:15.117",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-01-23T00:55:03.380",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0045.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/56572"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id/1029652"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0045.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/56572"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1029652"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-4vqm-j4g4-5vv7

Vulnerability from github

Published

2022-05-17 04:54

Modified

2022-05-17 04:54

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2013-6448"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-01-23T00:55:00Z",
    "severity": "MODERATE"
  },
  "details": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors.",
  "id": "GHSA-4vqm-j4g4-5vv7",
  "modified": "2022-05-17T04:54:13Z",
  "published": "2022-05-17T04:54:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0045.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/56572"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1029652"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2013-6448

Vulnerability from cvelistv5

rhsa-2014:0045

Vulnerability from csaf_redhat

RHSA-2014:0045

Vulnerability from csaf_redhat

rhsa-2014_0045

Vulnerability from csaf_redhat

gsd-2013-6448

Vulnerability from gsd

fkie_cve-2013-6448

Vulnerability from fkie_nvd

ghsa-4vqm-j4g4-5vv7

Vulnerability from github

Tags

Sightings

Nomenclature