[seam-issues] [JBoss JIRA] (JBSEAM-4844) Seam 2 does not properly block access to EL expressions

Marek Novotny (Resolved) (JIRA) jira-events at lists.jboss.org
Sat Oct 8 05:37:15 EDT 2011


     [ https://issues.jboss.org/browse/JBSEAM-4844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marek Novotny resolved JBSEAM-4844.
-----------------------------------

    Resolution: Done

    
> Seam 2 does not properly block access to EL expressions
> -------------------------------------------------------
>
>                 Key: JBSEAM-4844
>                 URL: https://issues.jboss.org/browse/JBSEAM-4844
>             Project: Seam 2
>          Issue Type: Bug
>          Components: EL
>    Affects Versions: 2.2.0.GA, 2.2.1.Final, 2.2.2.Final
>            Reporter: Marek Novotny
>            Assignee: Marek Novotny
>             Fix For: 2.3.0.ALPHA
>
>
> Seam 2 does not properly block access to JBoss
> Expression Language (EL) constructs in page exception handling, allowing
> arbitrary Java methods to be executed. A remote attacker could use this
> flaw to execute arbitrary code via a specially-crafted URL provided to
> certain applications based on the JBoss Seam 2 framework. Note: A properly
> configured and enabled Java Security Manager would prevent exploitation of
> this flaw. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1484)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


More information about the seam-issues mailing list