Uploaded image for project: 'Seam 2'
  1. Seam 2
  2. JBSEAM-4844

Seam 2 does not properly block access to EL expressions

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2.2.0.GA, 2.2.1.Final, 2.2.2.Final
    • Fix Version/s: 2.3.0.ALPHA
    • Component/s: EL
    • Labels:
      None

      Description

      Seam 2 does not properly block access to JBoss
      Expression Language (EL) constructs in page exception handling, allowing
      arbitrary Java methods to be executed. A remote attacker could use this
      flaw to execute arbitrary code via a specially-crafted URL provided to
      certain applications based on the JBoss Seam 2 framework. Note: A properly
      configured and enabled Java Security Manager would prevent exploitation of
      this flaw. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1484)

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                manaRH Marek Novotny
                Reporter:
                manaRH Marek Novotny
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: