Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-6387

JBoss Seam2 privilege escalation caused by EL interpolation in FacesMessages

    XMLWordPrintable

Details

    • Release Notes
    • Hide
      It was found that JBoss Seam 2 did not properly block access to JBoss
      Expression Language (EL) constructs in page exception handling, allowing
      arbitrary Java methods to be executed. A remote attacker could use this
      flaw to execute arbitrary code via a specially-crafted URL provided to
      certain applications based on the JBoss Seam 2 framework. Note: A properly
      configured and enabled Java Security Manager would prevent exploitation of
      this flaw. (CVE-2011-1484)
      Show
      It was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484)
    • Documented as Resolved Issue
    • ASSIGNED

    Description

      Back port one-off patch into regular branch, details are at https://bugzilla.redhat.com/show_bug.cgi?id=692421

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBPAPP-6388 JBoss Seam2 privilege escalation caused by EL interpolation in FacesMessages

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              mnovotny@redhat.com Marek Novotny
              mnovotny@redhat.com Marek Novotny
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: