CVE-2014-0248

Seam: RCE via unsafe logging in AuthenticationFilter

Severity Score

6.8

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

org.jboss.seam.web.AuthenticationFilter in Red Hat JBoss Web Framework Kit 2.5.0, JBoss Enterprise Application Platform (JBEAP) 5.2.0, and JBoss Enterprise Web Platform (JBEWP) 5.2.0 allows remote attackers to execute arbitrary code via a crafted authentication header, related to Seam logging.

org.jboss.seam.web.AuthenticationFilter en Red Hat JBoss Web Framework Kit 2.5.0, JBoss Enterprise Application Platform (JBEAP) 5.2.0 y JBoss Enterprise Web Platform (JBEWP) 5.2.0 permite a atacantes remotos ejecutar código arbitrario a través de una cabecera de autenticación manipulada, relacionado con el registro Seam.

It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application.

*Credits: N/A

CVSS Scores

NISTv2 6.8

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-12-03 CVE Reserved
2014-06-24 CVE Published
2024-01-01 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (12)

URL	Tag	Source
http://secunia.com/advisories/59346	Third Party Advisory
http://secunia.com/advisories/59554	Third Party Advisory
http://secunia.com/advisories/59555	Third Party Advisory
http://www.securitytracker.com/id/1030457	Vdb Entry

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2014-0785.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2014-0791.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2014-0792.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2014-0793.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2014-0794.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2015-1888.html	2023-02-13
https://access.redhat.com/security/cve/CVE-2014-0248	2015-10-12
https://bugzilla.redhat.com/show_bug.cgi?id=1101619	2015-10-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Web Platform Search vendor "Redhat" for product "Jboss Enterprise Web Platform"				5.2.0 Search vendor "Redhat" for product "Jboss Enterprise Web Platform" and version "5.2.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Web Framework Kit Search vendor "Redhat" for product "Jboss Web Framework Kit"				2.5.0 Search vendor "Redhat" for product "Jboss Web Framework Kit" and version "2.5.0"		-		Affected