Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-6387

JBoss Seam2 privilege escalation caused by EL interpolation in FacesMessages

    XMLWordPrintable

    Details

    • Affects:
      Release Notes
    • Release Notes Text:
      Hide
      It was found that JBoss Seam 2 did not properly block access to JBoss
      Expression Language (EL) constructs in page exception handling, allowing
      arbitrary Java methods to be executed. A remote attacker could use this
      flaw to execute arbitrary code via a specially-crafted URL provided to
      certain applications based on the JBoss Seam 2 framework. Note: A properly
      configured and enabled Java Security Manager would prevent exploitation of
      this flaw. (CVE-2011-1484)
      Show
      It was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this flaw to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: A properly configured and enabled Java Security Manager would prevent exploitation of this flaw. (CVE-2011-1484)
    • Release Notes Docs Status:
      Documented as Resolved Issue
    • Docs QE Status:
      ASSIGNED

      Description

      Back port one-off patch into regular branch, details are at https://bugzilla.redhat.com/show_bug.cgi?id=692421

        Gliffy Diagrams

          Attachments

            Issue Links

            cloned to

            Bug - A problem which impairs or prevents the functions of the product. JBPAPP-6388 JBoss Seam2 privilege escalation caused by EL interpolation in FacesMessages

            • Blocker - An issue (bug, feature, task) that blocks development and/or testing work, production could not run. An upcoming version that is affected by this issue cannot be released until it's addressed.
            • Closed

              Activity

                People

                • Assignee:
                  manaRH Marek Novotny
                  Reporter:
                  manaRH Marek Novotny
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: