Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-6387

JBoss Seam2 privilege escalation caused by EL interpolation in FacesMessages

XMLWordPrintable

    • Release Notes
    • Hide
      It was found that JBoss Seam 2 did not properly block access to JBoss
      Expression Language (EL) constructs in page exception handling, allowing
      arbitrary Java methods to be executed. A remote attacker could use this
      flaw to execute arbitrary code via a specially-crafted URL provided to
      certain applications based on the JBoss Seam 2 framework. Note: A properly
      configured and enabled Java Security Manager would prevent exploitation of
      this flaw. (CVE-2011-1484)
      Show
      It was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484)
    • Documented as Resolved Issue
    • ASSIGNED

      Back port one-off patch into regular branch, details are at https://bugzilla.redhat.com/show_bug.cgi?id=692421

              mnovotny@redhat.com Marek Novotny
              mnovotny@redhat.com Marek Novotny
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: