{ "threat_severity" : "Important", "public_date" : "2014-06-23T00:00:00Z", "bugzilla" : { "description" : "Seam: RCE via unsafe logging in AuthenticationFilter", "id" : "1101619", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1101619" }, "cvss" : { "cvss_base_score" : "6.8", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status" : "verified" }, "cwe" : "CWE-94", "details" : [ "org.jboss.seam.web.AuthenticationFilter in Red Hat JBoss Web Framework Kit 2.5.0, JBoss Enterprise Application Platform (JBEAP) 5.2.0, and JBoss Enterprise Web Platform (JBEWP) 5.2.0 allows remote attackers to execute arbitrary code via a crafted authentication header, related to Seam logging.", "It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application." ], "acknowledgement" : "This issue was discovered by Marek Schmidt (Red Hat).", "affected_release" : [ { "product_name" : "JBEWP 5 for RHEL 5", "release_date" : "2014-06-25T00:00:00Z", "advisory" : "RHSA-2014:0792", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5", "package" : "jboss-seam2-0:2.2.6.EAP5-12.ep5.el5" }, { "product_name" : "JBEWP 5 for RHEL 6", "release_date" : "2014-06-25T00:00:00Z", "advisory" : "RHSA-2014:0792", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6", "package" : "jboss-seam2-0:2.2.6.EAP5-16.el6_5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5.2", "release_date" : "2014-06-25T00:00:00Z", "advisory" : "RHSA-2014:0794", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4", "release_date" : "2014-06-25T00:00:00Z", "advisory" : "RHSA-2014:0793", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4", "package" : "jboss-seam2-0:2.2.6.EAP5-10.ep5.el4" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5", "release_date" : "2014-06-25T00:00:00Z", "advisory" : "RHSA-2014:0793", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5", "package" : "jboss-seam2-0:2.2.6.EAP5-12.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6", "release_date" : "2014-06-25T00:00:00Z", "advisory" : "RHSA-2014:0793", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6", "package" : "jboss-seam2-0:2.2.6.EAP5-16.el6_5" }, { "product_name" : "Red Hat JBoss SOA Platform 5.3", "release_date" : "2015-10-12T00:00:00Z", "advisory" : "RHSA-2015:1888", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3" }, { "product_name" : "Red Hat JBoss Web Framework Kit 2.5", "release_date" : "2014-06-23T00:00:00Z", "advisory" : "RHSA-2014:0785", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_framework:2.5.0" }, { "product_name" : "Red Hat JBoss Web Platform 5.2", "release_date" : "2014-06-25T00:00:00Z", "advisory" : "RHSA-2014:0791", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Not affected", "package_name" : "seam", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Will not fix", "package_name" : "seam", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Not affected", "package_name" : "seam", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "seam", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "seam", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Not affected", "package_name" : "seam", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Not affected", "package_name" : "seam", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss Portal 5", "fix_state" : "Affected", "package_name" : "seam", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:5" }, { "product_name" : "Red Hat JBoss Portal 6", "fix_state" : "Not affected", "package_name" : "seam", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6" }, { "product_name" : "Red Hat JBoss SOA Platform 4", "fix_state" : "Will not fix", "package_name" : "seam", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:4" }, { "product_name" : "Red Hat JBoss SOA Platform 5", "fix_state" : "Affected", "package_name" : "seam", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-0248\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0248" ], "name" : "CVE-2014-0248", "csaw" : false }