CVE-2014-0248

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-0248
org.jboss.seam.web.AuthenticationFilter in Red Hat JBoss Web Framework Kit 2.5.0, JBoss Enterprise Application Platform (JBEAP) 5.2.0, and JBoss Enterprise Web Platform (JBEWP) 5.2.0 allows remote attackers to execute arbitrary code via a crafted authentication header, related to Seam logging.

6.8 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://rhn.redhat.com/errata/RHSA-2014-0785.html Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2014-0791.html Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2014-0792.html Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2014-0793.html Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2014-0794.html Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-1888.html
http://secunia.com/advisories/59346
http://secunia.com/advisories/59554
http://secunia.com/advisories/59555
http://www.securitytracker.com/id/1030457
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_web_platform:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_web_framework_kit:2.5.0:*:*:*:*:*:*:*
History

13 Feb 2023, 00:38

Type Values Removed Values Added
Summary It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application. org.jboss.seam.web.AuthenticationFilter in Red Hat JBoss Web Framework Kit 2.5.0, JBoss Enterprise Application Platform (JBEAP) 5.2.0, and JBoss Enterprise Web Platform (JBEWP) 5.2.0 allows remote attackers to execute arbitrary code via a crafted authentication header, related to Seam logging.
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2014-0248', 'name': 'https://access.redhat.com/security/cve/CVE-2014-0248', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2014:0794', 'name': 'https://access.redhat.com/errata/RHSA-2014:0794', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2015:1888', 'name': 'https://access.redhat.com/errata/RHSA-2015:1888', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2014:0785', 'name': 'https://access.redhat.com/errata/RHSA-2014:0785', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2014:0793', 'name': 'https://access.redhat.com/errata/RHSA-2014:0793', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2014:0792', 'name': 'https://access.redhat.com/errata/RHSA-2014:0792', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1101619', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1101619', 'tags': [], 'refsource': 'MISC'}

02 Feb 2023, 20:16

Type Values Removed Values Added
References
  • (MISC) https://access.redhat.com/security/cve/CVE-2014-0248 -
  • (MISC) https://access.redhat.com/errata/RHSA-2014:0794 -
  • (MISC) https://access.redhat.com/errata/RHSA-2015:1888 -
  • (MISC) https://access.redhat.com/errata/RHSA-2014:0785 -
  • (MISC) https://access.redhat.com/errata/RHSA-2014:0793 -
  • (MISC) https://access.redhat.com/errata/RHSA-2014:0792 -
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1101619 -
Summary org.jboss.seam.web.AuthenticationFilter in Red Hat JBoss Web Framework Kit 2.5.0, JBoss Enterprise Application Platform (JBEAP) 5.2.0, and JBoss Enterprise Web Platform (JBEWP) 5.2.0 allows remote attackers to execute arbitrary code via a crafted authentication header, related to Seam logging. It was found that the org.jboss.seam.web.AuthenticationFilter class implementation did not properly use Seam logging. A remote attacker could send specially crafted authentication headers to an application, which could result in arbitrary code execution with the privileges of the user running that application.
Information

Published : 2014-07-07 14:55

Updated : 2023-12-10 11:31

NVD link : CVE-2014-0248

Mitre link : CVE-2014-0248

CVE.ORG link : CVE-2014-0248

JSON object : View

Products Affected

redhat

  • jboss_enterprise_web_platform
  • jboss_web_framework_kit
  • jboss_enterprise_application_platform
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')