CVE-2010-1871
Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
YesDecision
Descriptions
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
JBoss Seam 2 (jboss-seam2), como el usado en JBoss Enterprise Application Platform v4.3.0 para Red Hat Linux, no sanea adecuadamente las entradas de de la expresiones de Expression LanguageJBoss Expression Language (EL), lo que permite a atacantes remotos ejecutar código de su elección a través de URL manipuladas. NOTA: Solo se da esta vulnerabilidad cuando el Java Security Manager no está configurado adecuadamente.
JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, allows attackers to perform remote code execution. This vulnerability can only be exploited when the Java Security Manager is not properly configured.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2010-05-10 CVE Reserved
- 2010-08-04 CVE Published
- 2010-08-05 First Exploit
- 2021-12-10 Exploited in Wild
- 2022-06-10 KEV Due Date
- 2024-07-25 EPSS Updated
- 2024-08-07 CVE Updated
CWE
- CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html | Broken Link | |
| http://www.securityfocus.com/bid/41994 | Broken Link | |
| http://www.securitytracker.com/id?1024253 | Broken Link | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/60794 | Third Party Advisory | |
| https://security.netapp.com/advisory/ntap-20161017-0001 | Third Party Advisory |
|
| http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/36653 | 2015-04-06 | |
| https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/jboss_seam_upload_exec.rb | 2010-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.redhat.com/support/errata/RHSA-2010-0564.html | 2024-07-24 | |
| http://www.vupen.com/english/advisories/2010/1929 | 2024-07-24 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=615956 | 2010-07-27 | |
| https://access.redhat.com/security/cve/CVE-2010-1871 | 2010-07-27 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 4 Search vendor "Redhat" for product "Enterprise Linux" and version "4" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 5 Search vendor "Redhat" for product "Enterprise Linux" and version "5" | - |
Safe
|
| Netapp Search vendor "Netapp" | Oncommand Balance Search vendor "Netapp" for product "Oncommand Balance" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Insight Search vendor "Netapp" for product "Oncommand Insight" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Unified Manager Search vendor "Netapp" for product "Oncommand Unified Manager" | - | clustered_data_ontap |
Affected
| ||||||