CVE-2011-2196

CWE-2645 documents5 sources

Severity

6.8MEDIUM

EPSS

1.2%

top 20.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Seam 2 Framework Redhat Jboss Enterprise Application Platform Redhat Jboss Enterprise SOA Platform +1 more

Timeline

PublishedJul 27

Latest updateMay 17

Description

jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: t…

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages4 packages

▶NVDredhat/jboss_enterprise_application_platform4.3.0, 5.1.1+1

▶NVDredhat/jboss_enterprise_soa_platform4.3.0, 5.1.0+1

▶NVDredhat/jboss_enterprise_web_platform5.1.1

▶NVDredhat/jboss_seam_2_framework2.2.2+9

🔴Vulnerability Details

GHSA

GHSA-6m4p-jvxh-733r: jboss-seam↗2022-05-17

▶

CVEList

CVE-2011-2196: jboss-seam↗2011-07-27

▶

📋Vendor Advisories

Red Hat

JBoss Seam EL interpolation in exception handling↗2011-07-18

▶

💬Community

Bugzilla

CVE-2011-2196 JBoss Seam EL interpolation in exception handling↗2011-06-10

▶