FKIE_CVE-2011-1484

Vulnerability from fkie_nvd - Published: 2011-07-27 02:42 - Updated: 2025-04-11 00:51
Severity ?
Summary
jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application.
References
secalert@redhat.comhttp://www.redhat.com/support/errata/RHSA-2011-0460.htmlVendor Advisory
secalert@redhat.comhttp://www.redhat.com/support/errata/RHSA-2011-0461.htmlVendor Advisory
secalert@redhat.comhttp://www.redhat.com/support/errata/RHSA-2011-0462.htmlVendor Advisory
secalert@redhat.comhttp://www.redhat.com/support/errata/RHSA-2011-0463.htmlVendor Advisory
secalert@redhat.comhttp://www.redhat.com/support/errata/RHSA-2011-1148.html
secalert@redhat.comhttp://www.redhat.com/support/errata/RHSA-2011-1251.html
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=692421
secalert@redhat.comhttps://docs.redhat.com/docs/en-US/JBoss_Communications_Platform/5.1/html/5.1.1_Release_Notes/ar01s05.html
af854a3a-2127-422b-91ae-364da2661108http://www.redhat.com/support/errata/RHSA-2011-0460.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.redhat.com/support/errata/RHSA-2011-0461.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.redhat.com/support/errata/RHSA-2011-0462.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.redhat.com/support/errata/RHSA-2011-0463.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.redhat.com/support/errata/RHSA-2011-1148.html
af854a3a-2127-422b-91ae-364da2661108http://www.redhat.com/support/errata/RHSA-2011-1251.html
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=692421
af854a3a-2127-422b-91ae-364da2661108https://docs.redhat.com/docs/en-US/JBoss_Communications_Platform/5.1/html/5.1.1_Release_Notes/ar01s05.html
Impacted products
Vendor Product Version
redhat jboss_enterprise_application_platform 4.3.0
redhat jboss_enterprise_application_platform 5.1.0
redhat jboss_enterprise_soa_platform 4.3.0
redhat jboss_enterprise_soa_platform 5.1.0
redhat jboss_seam_2_framework *
redhat jboss_seam_2_framework 2.0.0
redhat jboss_seam_2_framework 2.0.0
redhat jboss_seam_2_framework 2.0.0
redhat jboss_seam_2_framework 2.0.0
redhat jboss_seam_2_framework 2.0.0
redhat jboss_seam_2_framework 2.0.1
redhat jboss_seam_2_framework 2.0.1
redhat jboss_seam_2_framework 2.0.1
redhat jboss_seam_2_framework 2.0.2
redhat jboss_seam_2_framework 2.0.2
redhat jboss_seam_2_framework 2.0.2
redhat jboss_seam_2_framework 2.0.2
redhat jboss_seam_2_framework 2.0.3
redhat jboss_seam_2_framework 2.1.0
redhat jboss_seam_2_framework 2.1.0
redhat jboss_seam_2_framework 2.1.0
redhat jboss_seam_2_framework 2.1.0
redhat jboss_seam_2_framework 2.1.0
redhat jboss_seam_2_framework 2.1.1
redhat jboss_seam_2_framework 2.1.1
redhat jboss_seam_2_framework 2.1.1
redhat jboss_seam_2_framework 2.1.2
redhat jboss_seam_2_framework 2.1.2
redhat jboss_seam_2_framework 2.1.2
redhat jboss_seam_2_framework 2.2.0
redhat jboss_seam_2_framework 2.2.0
redhat jboss_seam_2_framework 2.2.1
redhat jboss_seam_2_framework 2.2.1
redhat jboss_seam_2_framework 2.2.1
redhat jboss_seam_2_framework 2.2.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp09:*:*:*:*:*:*",
              "matchCriteriaId": "FA7424BA-1E18-4267-9697-F4560BE75359",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "972C5C87-E982-44A5-866D-FDEACB5203B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:4.3.0:cp04:*:*:*:*:*:*",
              "matchCriteriaId": "23F0650B-C39D-4C7D-8BB9-BBA951BA8AAE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B72D56E-DE3C-4383-906D-F3DCD9D09CC9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BB8AAFEA-2C73-460E-AAF3-C076041C7335",
              "versionEndIncluding": "2.2.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "4664C66E-3F4B-471E-AAC9-276834A55499",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "43CACD28-B9A3-46D5-BA99-AA578F51D693",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "1A4951C4-8941-4A7F-B742-B50A812CC4B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr3:*:*:*:*:*:*",
              "matchCriteriaId": "1A83D0E2-C724-47D1-9A98-7ACADA8810DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:ga:*:*:*:*:*:*",
              "matchCriteriaId": "56B7E191-8A62-4BDE-90A4-192BA5696A39",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "4A027797-81BC-4826-BBCC-C5EAEAB3E503",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "67F9B8C2-D2BE-4B4A-829C-528EC716C3FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:ga:*:*:*:*:*:*",
              "matchCriteriaId": "D38126DF-747B-4892-9B63-E7E35F98C760",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "ECD78557-9403-496D-8512-FA693E291164",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "CB076878-0465-44C7-AE59-C9584B3CEE1F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:ga:*:*:*:*:*:*",
              "matchCriteriaId": "F682D85A-5B8C-4F83-BABD-9D28775C3776",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "43DA16B0-8E35-444D-B0BC-6774BBEC9E49",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.3:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "D249483C-D9F2-474F-9DDD-775CA573A642",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "C5BD9104-7BE9-420F-8DB2-C07748941254",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "A6513765-FEB9-4D7E-AE29-E479707AED02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "42291710-D8D1-4C77-8A62-E0B80BA3D5AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:ga:*:*:*:*:*:*",
              "matchCriteriaId": "0BBFD756-FF7B-4163-9924-CC922A7EA1AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "226579DC-5DFE-4778-9871-4137B556D3A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "CB03E6D7-1A07-49EB-AB21-E136132BDF1E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "68FE6392-8774-4534-8903-BE9154FE2795",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:ga:*:*:*:*:*:*",
              "matchCriteriaId": "9F98F783-0AB2-41BE-8B07-D62438824541",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7A206D39-DBF9-4B14-8703-9081682A1EEE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "32B2FE67-27F7-4BF7-A78A-0A5FAAADFE20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "1371416C-30C8-47A6-8A0C-F4E37875BE8F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "CA790538-865A-4249-B6F9-F0CEC5818E57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:ga:*:*:*:*:*:*",
              "matchCriteriaId": "62AB605C-3102-4425-A563-817445B2F187",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0E6F5051-BF57-44EA-942F-9E74A06D8B45",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "0FD6DFE0-4FC8-4311-A724-666AA48A64C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "EB833625-4D55-4BFE-A05C-5650D342C461",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr3:*:*:*:*:*:*",
              "matchCriteriaId": "CB5F7791-FC8F-4E6C-B14D-A31D69086895",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application."
    },
    {
      "lang": "es",
      "value": "jboss-seam.jar en el framework JBoss Seam 2 2.2.x y versiones anteriores, tal como se distribuye con la plataforma Hat JBoss Enterprise SOA 4.3.0.CP04 y 5.1.0 y JBoss Enterprise Application Platform (JBoss EAP o JBEAP) 4.3.0.CP09 y 5.1.0, no restringen el uso de instrucciones de \"Expression Language\" (EL) en FacesMessages durante el manejo de excepciones de p\u00e1gina, lo que permite a atacantes remotos ejecutar c\u00f3digo Java arbitrario a trav\u00e9s de una URL modificada a una aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2011-1484",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2011-07-27T02:42:27.203",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0460.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0461.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0462.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0463.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-1148.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-1251.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=692421"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://docs.redhat.com/docs/en-US/JBoss_Communications_Platform/5.1/html/5.1.1_Release_Notes/ar01s05.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0460.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0461.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0462.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0463.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-1148.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-1251.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=692421"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://docs.redhat.com/docs/en-US/JBoss_Communications_Platform/5.1/html/5.1.1_Release_Notes/ar01s05.html"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.