Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-2196

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2011-2196
Last Modified 01 Aug 2011 12:00:00
Published 26 Jul 2011 10:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2011-2196

Summary

jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1484.

Vulnerable Systems

Application

  • Redhat Jboss Enterprise Application Platform 4.3.0

  • Redhat Jboss Enterprise Application Platform 5.1.1

  • Redhat Jboss Enterprise Soa Platform 4.3.0

  • Redhat Jboss Enterprise Soa Platform 5.1.0

  • Redhat Jboss Enterprise Web Platform 5.1.1

  • Redhat Jboss Seam 2 Framework 2.0.0

  • Redhat Jboss Seam 2 Framework 2.0.1

  • Redhat Jboss Seam 2 Framework 2.0.2

  • Redhat Jboss Seam 2 Framework 2.0.3

  • Redhat Jboss Seam 2 Framework 2.1.0

  • Redhat Jboss Seam 2 Framework 2.1.1

  • Redhat Jboss Seam 2 Framework 2.1.2

  • Redhat Jboss Seam 2 Framework 2.2.0

  • Redhat Jboss Seam 2 Framework 2.2.1

  • Redhat Jboss Seam 2 Framework 2.2.2


References

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=712283

BID - 48716

REDHAT - RHSA-2011:0952

REDHAT - RHSA-2011:0951

REDHAT - RHSA-2011:0950

REDHAT - RHSA-2011:0949

REDHAT - RHSA-2011:0948

REDHAT - RHSA-2011:0947

REDHAT - RHSA-2011:0946

REDHAT - RHSA-2011:0945


Last Updated: 27 May 2016 10:56:57