Vulnerability-Lookup

CVE-2010-1622 (GCVE-0-2010-1622)

Vulnerability from cvelistv5 – Published: 2010-06-21 16:00 – Updated: 2024-08-07 01:28

Summary

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

Severity

No CVSS data available.

CWE

Assigner

redhat

References

14 references

URL	Tags
http://geronimo.apache.org/2010/07/21/apache-gero…	x_refsource_CONFIRM
http://www.vupen.com/english/advisories/2011/0237	vdb-entryx_refsource_VUPEN
http://www.oracle.com/technetwork/topics/security…	x_refsource_CONFIRM
http://www.exploit-db.com/exploits/13918	exploitx_refsource_EXPLOIT-DB
http://secunia.com/advisories/43087	third-party-advisoryx_refsource_SECUNIA
http://www.springsource.com/security/cve-2010-1622	x_refsource_CONFIRM
http://secunia.com/advisories/41025	third-party-advisoryx_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2011-01…	vendor-advisoryx_refsource_REDHAT
http://geronimo.apache.org/22x-security-report.html	x_refsource_CONFIRM
http://www.securityfocus.com/bid/40954	vdb-entryx_refsource_BID
http://secunia.com/advisories/41016	third-party-advisoryx_refsource_SECUNIA
http://www.securitytracker.com/id/1033898	vdb-entryx_refsource_SECTRACK
http://geronimo.apache.org/21x-security-report.html	x_refsource_CONFIRM
http://www.securityfocus.com/archive/1/511877	mailing-listx_refsource_BUGTRAQ

Date Public

2010-06-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T01:28:42.999Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html"
          },
          {
            "name": "ADV-2011-0237",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0237"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
          },
          {
            "name": "13918",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "http://www.exploit-db.com/exploits/13918"
          },
          {
            "name": "43087",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/43087"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.springsource.com/security/cve-2010-1622"
          },
          {
            "name": "41025",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/41025"
          },
          {
            "name": "RHSA-2011:0175",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2011-0175.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://geronimo.apache.org/22x-security-report.html"
          },
          {
            "name": "40954",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/40954"
          },
          {
            "name": "41016",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/41016"
          },
          {
            "name": "1033898",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1033898"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://geronimo.apache.org/21x-security-report.html"
          },
          {
            "name": "20100618 CVE-2010-1622: Spring Framework execution of arbitrary code",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/511877"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2010-06-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-05T21:57:02.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html"
        },
        {
          "name": "ADV-2011-0237",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0237"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
        },
        {
          "name": "13918",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "http://www.exploit-db.com/exploits/13918"
        },
        {
          "name": "43087",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/43087"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.springsource.com/security/cve-2010-1622"
        },
        {
          "name": "41025",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/41025"
        },
        {
          "name": "RHSA-2011:0175",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2011-0175.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://geronimo.apache.org/22x-security-report.html"
        },
        {
          "name": "40954",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/40954"
        },
        {
          "name": "41016",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/41016"
        },
        {
          "name": "1033898",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1033898"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://geronimo.apache.org/21x-security-report.html"
        },
        {
          "name": "20100618 CVE-2010-1622: Spring Framework execution of arbitrary code",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/511877"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2010-1622",
    "datePublished": "2010-06-21T16:00:00.000Z",
    "dateReserved": "2010-04-29T00:00:00.000Z",
    "dateUpdated": "2024-08-07T01:28:42.999Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2010-1622",
      "date": "2026-06-02",
      "epss": "0.01554",
      "percentile": "0.81756"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware:7.6.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2A9B040F-4062-45C1-A659-B5E9242B54CD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware:11.1.1.6.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6DF57046-4537-475E-B25E-2375492850DD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware:11.1.1.8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4227A17D-C070-406A-BEB7-6D43F3A0E98A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:2.5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5ECA0EF4-6BEA-4464-B098-37C0342AEDDF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:2.5.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B4DDA5A7-62A4-471A-9B01-D54CF560BF56\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:2.5.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B977B334-EC1A-45BD-976D-3DF3332ADA90\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:2.5.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6DC37B55-E7DF-4426-B1E2-2644078EDD19\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:2.5.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A939B963-7C6C-4617-A695-A9CC4FC774EE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BB2D44CB-BBBF-45DE-B3C9-2BD2625BC8E7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:2.5.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F709DAAC-AA32-4D37-9E0C-A014FB519697\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:2.5.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BC2B4BF5-FFAE-475F-AF1B-835497BF86D9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"62111DAE-3E05-4D95-8B34-E2EFB6142DCA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9A9F796E-340B-4FF5-9322-94E57D7BCEE6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D8BA17FD-BC52-4D84-9753-5D41D3BC35B4\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.\"}, {\"lang\": \"es\", \"value\": \"SpringSource Spring Framework v2.5.x anteriores a v2.5.6.SEC02, v2.5.7 anteriores a v2.5.7.SR01, y v3.0.x anteriores a v3.0.3 permite a atacantes remotos ejecutar c\\u00f3digo arbitrario a trav\\u00e9s de una petici\\u00f3n HTTP que contenga class.classLoader.URLs[0]=jar: seguida por una URL de un fichero .jar modificado.\"}]",
      "evaluatorComment": "The previous CVSS assessment 5.1 (AV:N/AC:M/Au:N/C:P/I:P/A:P) was provided at the time of initial analysis based on the best available published information at that time.  The score has be updated to reflect the impact to Oracle products per \u003ca href=http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\u003e Oracle Critical Patch Update Advisory - October 2015 \u003c/a\u003e. Other products listed as vulnerable may or may not be similarly impacted.",
      "id": "CVE-2010-1622",
      "lastModified": "2024-11-21T01:14:49.797",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 6.8, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2010-06-21T16:30:01.180",
      "references": "[{\"url\": \"http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://geronimo.apache.org/21x-security-report.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://geronimo.apache.org/22x-security-report.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/41016\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/41025\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/43087\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.exploit-db.com/exploits/13918\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2011-0175.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/archive/1/511877\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://www.securityfocus.com/bid/40954\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securitytracker.com/id/1033898\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.springsource.com/security/cve-2010-1622\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2011/0237\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://geronimo.apache.org/21x-security-report.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://geronimo.apache.org/22x-security-report.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/41016\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/41025\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/43087\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.exploit-db.com/exploits/13918\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2011-0175.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/archive/1/511877\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://www.securityfocus.com/bid/40954\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1033898\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.springsource.com/security/cve-2010-1622\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2011/0237\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-94\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2010-1622\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2010-06-21T16:30:01.180\",\"lastModified\":\"2026-04-29T01:13:23.040\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.\"},{\"lang\":\"es\",\"value\":\"SpringSource Spring Framework v2.5.x anteriores a v2.5.6.SEC02, v2.5.7 anteriores a v2.5.7.SR01, y v3.0.x anteriores a v3.0.3 permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de una petici\u00f3n HTTP que contenga class.classLoader.URLs[0]=jar: seguida por una URL de un fichero .jar modificado.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"baseScore\":6.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware:7.6.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2A9B040F-4062-45C1-A659-B5E9242B54CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware:11.1.1.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6DF57046-4537-475E-B25E-2375492850DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware:11.1.1.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4227A17D-C070-406A-BEB7-6D43F3A0E98A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:2.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5ECA0EF4-6BEA-4464-B098-37C0342AEDDF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:2.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4DDA5A7-62A4-471A-9B01-D54CF560BF56\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:2.5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B977B334-EC1A-45BD-976D-3DF3332ADA90\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:2.5.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6DC37B55-E7DF-4426-B1E2-2644078EDD19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:2.5.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A939B963-7C6C-4617-A695-A9CC4FC774EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB2D44CB-BBBF-45DE-B3C9-2BD2625BC8E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:2.5.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F709DAAC-AA32-4D37-9E0C-A014FB519697\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:2.5.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC2B4BF5-FFAE-475F-AF1B-835497BF86D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"62111DAE-3E05-4D95-8B34-E2EFB6142DCA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A9F796E-340B-4FF5-9322-94E57D7BCEE6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8BA17FD-BC52-4D84-9753-5D41D3BC35B4\"}]}]}],\"references\":[{\"url\":\"http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://geronimo.apache.org/21x-security-report.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://geronimo.apache.org/22x-security-report.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/41016\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/41025\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/43087\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.exploit-db.com/exploits/13918\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2011-0175.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/archive/1/511877\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.securityfocus.com/bid/40954\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securitytracker.com/id/1033898\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.springsource.com/security/cve-2010-1622\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2011/0237\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://geronimo.apache.org/21x-security-report.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://geronimo.apache.org/22x-security-report.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/41016\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/41025\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/43087\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.exploit-db.com/exploits/13918\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2011-0175.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/511877\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.securityfocus.com/bid/40954\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1033898\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.springsource.com/security/cve-2010-1622\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2011/0237\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"evaluatorComment\":\"The previous CVSS assessment 5.1 (AV:N/AC:M/Au:N/C:P/I:P/A:P) was provided at the time of initial analysis based on the best available published information at that time.  The score has be updated to reflect the impact to Oracle products per \u003ca href=http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\u003e Oracle Critical Patch Update Advisory - October 2015 \u003c/a\u003e. Other products listed as vulnerable may or may not be similarly impacted.\"}}"
  }
}

CERTA-2010-AVI-387

Vulnerability from certfr_avis - Published: - Updated:

Des vulnérabilités concernant les composants d'Apache Geronimo permettent notamment à un utilisateur malveillant d'exécuter du code arbitraire à distance et de réaliser un déni de service.

Description

Une vulnérabilité (CVE-2010-1622) dans le composant SpringSource Spring Framework permet à un attaquant d'exécuter du code arbitraire via une requête HTTP contenant l'adresse d'un fichier jar ;
une erreur dans la gestion des DTD inclus dans les messages SOAP engendre une vulnérabilité dans le composant Apache Axis2 (CVE-2010-1632) et Apache CXF (CVE-2010-2076). Elle permet à un utilisateur malveillant de déclencher des requêtes HTTP à des serveurs de l'intranet, de lire des fichiers arbitraires, et causer un déni de service par consommation excessive de ressources système.

Solution

La version 2.1.6 de Apache Geronimo contient les versions corrigées de ces différents modules.

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Serveur Apache Geronimo versions 2.1.5 et inférieures.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

CERTA-2010-AVI-387

Vulnerability from certfr_avis - Published: - Updated:

Des vulnérabilités concernant les composants d'Apache Geronimo permettent notamment à un utilisateur malveillant d'exécuter du code arbitraire à distance et de réaliser un déni de service.

Description

Une vulnérabilité (CVE-2010-1622) dans le composant SpringSource Spring Framework permet à un attaquant d'exécuter du code arbitraire via une requête HTTP contenant l'adresse d'un fichier jar ;
une erreur dans la gestion des DTD inclus dans les messages SOAP engendre une vulnérabilité dans le composant Apache Axis2 (CVE-2010-1632) et Apache CXF (CVE-2010-2076). Elle permet à un utilisateur malveillant de déclencher des requêtes HTTP à des serveurs de l'intranet, de lire des fichiers arbitraires, et causer un déni de service par consommation excessive de ressources système.

Solution

La version 2.1.6 de Apache Geronimo contient les versions corrigées de ces différents modules.

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Serveur Apache Geronimo versions 2.1.5 et inférieures.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

BDU:2022-05406

Vulnerability from fstec - Published: 21.06.2022

Title

Уязвимость программной платформы Spring Framework, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость программной платформы Spring Framework связана с неверным управлением генерацией кода. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код при помощи специально созданного .jar файла

Severity


                    
                      AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Vendor

Pivotal Software Inc.

Software Name

Spring Framework

Software Version

от 2.5.0 до 2.5.6.SEC02 (Spring Framework), от 2.5.7 до 2.5.7.SR01 (Spring Framework), от 3.0.0 до 3.0.3 (Spring Framework)

Possible Mitigations

Обновление программной платформы Spring Framework до актуальной версии

Reference

https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1770 https://nvd.nist.gov/vuln/detail/CVE-2010-1622 http://www.securityfocus.com/archive/1/511877 http://www.securityfocus.com/bid/40954 http://www.securitytracker.com/id/1033898 http://www.springsource.com/security/cve-2010-1622

CWE

CWE-94

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
  "CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Pivotal Software Inc.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 2.5.0 \u0434\u043e 2.5.6.SEC02 (Spring Framework), \u043e\u0442 2.5.7 \u0434\u043e 2.5.7.SR01 (Spring Framework), \u043e\u0442 3.0.0 \u0434\u043e 3.0.3 (Spring Framework)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Spring Framework \u0434\u043e \u0430\u043a\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "21.06.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "31.08.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "31.08.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-05406",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2010-1622",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Spring Framework",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Spring Framework, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u044b\u043c \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0435\u0439 \u043a\u043e\u0434\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u043e\u0435 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0435\u0439 \u043a\u043e\u0434\u0430 (\u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430) (CWE-94)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Spring Framework \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u044b\u043c \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0435\u0439 \u043a\u043e\u0434\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0440\u0438 \u043f\u043e\u043c\u043e\u0449\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u043e\u0433\u043e .jar \u0444\u0430\u0439\u043b\u0430",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0417\u043b\u043e\u0443\u043f\u043e\u0442\u0440\u0435\u0431\u043b\u0435\u043d\u0438\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u043e\u043c",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1770\nhttps://nvd.nist.gov/vuln/detail/CVE-2010-1622\nhttp://www.securityfocus.com/archive/1/511877\nhttp://www.securityfocus.com/bid/40954\t\nhttp://www.securitytracker.com/id/1033898\t\nhttp://www.springsource.com/security/cve-2010-1622",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-94",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,3)"
}

FKIE_CVE-2010-1622

Vulnerability from fkie_nvd - Published: 2010-06-21 16:30 - Updated: 2026-04-29 01:13

Severity

Summary

References

URL	Tags
secalert@redhat.com	http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html	Vendor Advisory
secalert@redhat.com	http://geronimo.apache.org/21x-security-report.html	Vendor Advisory
secalert@redhat.com	http://geronimo.apache.org/22x-security-report.html	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/41016
secalert@redhat.com	http://secunia.com/advisories/41025
secalert@redhat.com	http://secunia.com/advisories/43087
secalert@redhat.com	http://www.exploit-db.com/exploits/13918	Exploit
secalert@redhat.com	http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
secalert@redhat.com	http://www.redhat.com/support/errata/RHSA-2011-0175.html
secalert@redhat.com	http://www.securityfocus.com/archive/1/511877	Exploit
secalert@redhat.com	http://www.securityfocus.com/bid/40954
secalert@redhat.com	http://www.securitytracker.com/id/1033898
secalert@redhat.com	http://www.springsource.com/security/cve-2010-1622	Exploit, Vendor Advisory
secalert@redhat.com	http://www.vupen.com/english/advisories/2011/0237
af854a3a-2127-422b-91ae-364da2661108	http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://geronimo.apache.org/21x-security-report.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://geronimo.apache.org/22x-security-report.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/41016
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/41025
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/43087
af854a3a-2127-422b-91ae-364da2661108	http://www.exploit-db.com/exploits/13918	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2011-0175.html
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/511877	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/40954
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1033898
af854a3a-2127-422b-91ae-364da2661108	http://www.springsource.com/security/cve-2010-1622	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2011/0237

Impacted products

Vendor	Product	Version
oracle	fusion_middleware	7.6.2
oracle	fusion_middleware	11.1.1.6.1
oracle	fusion_middleware	11.1.1.8.0
springsource	spring_framework	2.5.0
springsource	spring_framework	2.5.1
springsource	spring_framework	2.5.2
springsource	spring_framework	2.5.3
springsource	spring_framework	2.5.4
springsource	spring_framework	2.5.5
springsource	spring_framework	2.5.6
springsource	spring_framework	2.5.7
springsource	spring_framework	3.0.0
springsource	spring_framework	3.0.1
springsource	spring_framework	3.0.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:fusion_middleware:7.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "2A9B040F-4062-45C1-A659-B5E9242B54CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:fusion_middleware:11.1.1.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6DF57046-4537-475E-B25E-2375492850DD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:fusion_middleware:11.1.1.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4227A17D-C070-406A-BEB7-6D43F3A0E98A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:springsource:spring_framework:2.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5ECA0EF4-6BEA-4464-B098-37C0342AEDDF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:springsource:spring_framework:2.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4DDA5A7-62A4-471A-9B01-D54CF560BF56",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:springsource:spring_framework:2.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B977B334-EC1A-45BD-976D-3DF3332ADA90",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:springsource:spring_framework:2.5.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "6DC37B55-E7DF-4426-B1E2-2644078EDD19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:springsource:spring_framework:2.5.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "A939B963-7C6C-4617-A695-A9CC4FC774EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "BB2D44CB-BBBF-45DE-B3C9-2BD2625BC8E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:springsource:spring_framework:2.5.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "F709DAAC-AA32-4D37-9E0C-A014FB519697",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:springsource:spring_framework:2.5.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "BC2B4BF5-FFAE-475F-AF1B-835497BF86D9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "62111DAE-3E05-4D95-8B34-E2EFB6142DCA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A9F796E-340B-4FF5-9322-94E57D7BCEE6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8BA17FD-BC52-4D84-9753-5D41D3BC35B4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file."
    },
    {
      "lang": "es",
      "value": "SpringSource Spring Framework v2.5.x anteriores a v2.5.6.SEC02, v2.5.7 anteriores a v2.5.7.SR01, y v3.0.x anteriores a v3.0.3 permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de una petici\u00f3n HTTP que contenga class.classLoader.URLs[0]=jar: seguida por una URL de un fichero .jar modificado."
    }
  ],
  "evaluatorComment": "The previous CVSS assessment 5.1 (AV:N/AC:M/Au:N/C:P/I:P/A:P) was provided at the time of initial analysis based on the best available published information at that time.  The score has be updated to reflect the impact to Oracle products per \u003ca href=http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\u003e Oracle Critical Patch Update Advisory - October 2015 \u003c/a\u003e. Other products listed as vulnerable may or may not be similarly impacted.",
  "id": "CVE-2010-1622",
  "lastModified": "2026-04-29T01:13:23.040",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2010-06-21T16:30:01.180",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://geronimo.apache.org/21x-security-report.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://geronimo.apache.org/22x-security-report.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://secunia.com/advisories/41016"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://secunia.com/advisories/41025"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://secunia.com/advisories/43087"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.exploit-db.com/exploits/13918"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0175.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.securityfocus.com/archive/1/511877"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/40954"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id/1033898"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "http://www.springsource.com/security/cve-2010-1622"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.vupen.com/english/advisories/2011/0237"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://geronimo.apache.org/21x-security-report.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://geronimo.apache.org/22x-security-report.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/41016"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/41025"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/43087"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.exploit-db.com/exploits/13918"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0175.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "http://www.securityfocus.com/archive/1/511877"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/40954"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1033898"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "http://www.springsource.com/security/cve-2010-1622"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2011/0237"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-VPR3-F594-MG5G

Vulnerability from github – Published: 2022-05-17 03:28 – Updated: 2024-03-14 21:28

Summary

Improper Control of Generation of Code ('Code Injection') in Spring Framework

Details

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2010-1622"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T22:33:40Z",
    "nvd_published_at": "2010-06-21T16:30:00Z",
    "severity": "MODERATE"
  },
  "details": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing `class.classLoader.URLs[0]=jar:` followed by a URL of a crafted .jar file.",
  "id": "GHSA-vpr3-f594-mg5g",
  "modified": "2024-03-14T21:28:08Z",
  "published": "2022-05-17T03:28:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1622"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/3a5af35d37c79d0644d49b93f792a4c18fe8eb71"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2011:0175"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2010-1622"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=606706"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spring-projects/spring-framework"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2010/Jun/456"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20100623011648/http://www.springsource.com/security/cve-2010-1622"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20161014113129/http://www.securitytracker.com/id/1033898"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200227210033/http://www.securityfocus.com/archive/1/511877"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228060816/http://www.securityfocus.com/bid/40954"
    },
    {
      "type": "WEB",
      "url": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html"
    },
    {
      "type": "WEB",
      "url": "http://geronimo.apache.org/21x-security-report.html"
    },
    {
      "type": "WEB",
      "url": "http://geronimo.apache.org/22x-security-report.html"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/13918"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0175.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Improper Control of Generation of Code (\u0027Code Injection\u0027) in Spring Framework"
}

GSD-2010-1622

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2010-1622

Aliases

CVE-2010-1622

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2010-1622",
    "description": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.",
    "id": "GSD-2010-1622",
    "references": [
      "https://access.redhat.com/errata/RHSA-2011:0175"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2010-1622"
      ],
      "details": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.",
      "id": "GSD-2010-1622",
      "modified": "2023-12-13T01:21:32.144638Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2010-1622",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html",
            "refsource": "MISC",
            "url": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html"
          },
          {
            "name": "http://geronimo.apache.org/21x-security-report.html",
            "refsource": "MISC",
            "url": "http://geronimo.apache.org/21x-security-report.html"
          },
          {
            "name": "http://geronimo.apache.org/22x-security-report.html",
            "refsource": "MISC",
            "url": "http://geronimo.apache.org/22x-security-report.html"
          },
          {
            "name": "http://secunia.com/advisories/41016",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/41016"
          },
          {
            "name": "http://secunia.com/advisories/41025",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/41025"
          },
          {
            "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html",
            "refsource": "MISC",
            "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
          },
          {
            "name": "http://secunia.com/advisories/43087",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/43087"
          },
          {
            "name": "http://www.exploit-db.com/exploits/13918",
            "refsource": "MISC",
            "url": "http://www.exploit-db.com/exploits/13918"
          },
          {
            "name": "http://www.redhat.com/support/errata/RHSA-2011-0175.html",
            "refsource": "MISC",
            "url": "http://www.redhat.com/support/errata/RHSA-2011-0175.html"
          },
          {
            "name": "http://www.securityfocus.com/archive/1/511877",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/archive/1/511877"
          },
          {
            "name": "http://www.securityfocus.com/bid/40954",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/40954"
          },
          {
            "name": "http://www.securitytracker.com/id/1033898",
            "refsource": "MISC",
            "url": "http://www.securitytracker.com/id/1033898"
          },
          {
            "name": "http://www.springsource.com/security/cve-2010-1622",
            "refsource": "MISC",
            "url": "http://www.springsource.com/security/cve-2010-1622"
          },
          {
            "name": "http://www.vupen.com/english/advisories/2011/0237",
            "refsource": "MISC",
            "url": "http://www.vupen.com/english/advisories/2011/0237"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[2-alpha0,2.5.6.SEC01],[3.0-alpha0,3.0.2.RELEASE]",
          "affected_versions": "All versions starting from 2-alpha0 up to 2.5.6.sec01, all versions starting from 3.0-alpha0 up to 3.0.2.release",
          "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937",
            "CWE-94"
          ],
          "date": "2016-12-06",
          "description": "This package allows remote attackers to execute arbitrary code via an HTTP request containing `class.classLoader.URLs[0]=jar:` followed by a URL of a crafted `.jar` file.",
          "fixed_versions": [
            "2.5.6.SEC02",
            "3.0.3.RELEASE"
          ],
          "identifier": "CVE-2010-1622",
          "identifiers": [
            "CVE-2010-1622"
          ],
          "not_impacted": "All versions before 2-alpha0, all versions after 2.5.6.sec01 before 3.0-alpha0, all versions after 3.0.2.release",
          "package_slug": "maven/org.springframework/spring-core",
          "pubdate": "2010-06-21",
          "solution": "Upgrade to versions 2.5.6.SEC02, 3.0.3.RELEASE or above.",
          "title": "Remote classloader modification",
          "urls": [
            "http://support.springsource.com/security/cve-2010-1622",
            "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1622"
          ],
          "uuid": "bbebb7fa-8100-4565-9fb9-6acc0ecfe703"
        },
        {
          "affected_range": "[2.5.0,2.5.6],[3.0.0,3.0.2]",
          "affected_versions": "All versions starting from 2.5.0 up to 2.5.6, all versions starting from 3.0.0 up to 3.0.2",
          "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-937",
            "CWE-94"
          ],
          "date": "2022-06-17",
          "description": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.",
          "fixed_versions": [
            "2.5.7",
            "3.0.3"
          ],
          "identifier": "CVE-2010-1622",
          "identifiers": [
            "GHSA-vpr3-f594-mg5g",
            "CVE-2010-1622"
          ],
          "not_impacted": "All versions before 2.5.0, all versions after 2.5.6 before 3.0.0, all versions after 3.0.2",
          "package_slug": "maven/org.springframework/spring",
          "pubdate": "2022-05-17",
          "solution": "Upgrade to versions 2.5.7, 3.0.3 or above.",
          "title": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2010-1622",
            "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html",
            "http://geronimo.apache.org/21x-security-report.html",
            "http://geronimo.apache.org/22x-security-report.html",
            "http://www.exploit-db.com/exploits/13918",
            "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html",
            "https://seclists.org/fulldisclosure/2010/Jun/456",
            "https://github.com/advisories/GHSA-vpr3-f594-mg5g"
          ],
          "uuid": "d1064b16-ee52-4c8c-b44a-892ca0fe9bd5"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware:11.1.1.8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware:7.6.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:oracle:fusion_middleware:11.1.1.6.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:springsource:spring_framework:3.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:springsource:spring_framework:3.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:springsource:spring_framework:3.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:springsource:spring_framework:2.5.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2010-1622"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-94"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20100618 CVE-2010-1622: Spring Framework execution of arbitrary code",
              "refsource": "BUGTRAQ",
              "tags": [
                "Exploit"
              ],
              "url": "http://www.securityfocus.com/archive/1/511877"
            },
            {
              "name": "http://www.springsource.com/security/cve-2010-1622",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "http://www.springsource.com/security/cve-2010-1622"
            },
            {
              "name": "13918",
              "refsource": "EXPLOIT-DB",
              "tags": [
                "Exploit"
              ],
              "url": "http://www.exploit-db.com/exploits/13918"
            },
            {
              "name": "40954",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/40954"
            },
            {
              "name": "41025",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/41025"
            },
            {
              "name": "41016",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/41016"
            },
            {
              "name": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html"
            },
            {
              "name": "http://geronimo.apache.org/22x-security-report.html",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://geronimo.apache.org/22x-security-report.html"
            },
            {
              "name": "http://geronimo.apache.org/21x-security-report.html",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://geronimo.apache.org/21x-security-report.html"
            },
            {
              "name": "RHSA-2011:0175",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://www.redhat.com/support/errata/RHSA-2011-0175.html"
            },
            {
              "name": "43087",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/43087"
            },
            {
              "name": "ADV-2011-0237",
              "refsource": "VUPEN",
              "tags": [],
              "url": "http://www.vupen.com/english/advisories/2011/0237"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html"
            },
            {
              "name": "1033898",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id/1033898"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-02-13T04:17Z",
      "publishedDate": "2010-06-21T16:30Z"
    }
  }
}

RHSA-2011:0175

Vulnerability from csaf_redhat - Published: 2011-01-25 15:30 - Updated: 2025-11-21 17:37

Summary

Red Hat Security Advisory: JBoss Web Framework Kit 1.0.0 removal

Severity

Moderate

Notes

Topic: JBoss Web Framework Kit 1.0.0 contains a security flaw and should no longer be used. This update removes the JBoss Web Framework Kit 1.0.0 packages. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details: The JBoss Web Framework Kit combines popular open source web frameworks into a single solution for Java applications. The spring2 packages shipped as part of JBoss Web Framework Kit 1.0.0 are vulnerable to a security flaw that could allow a remote attacker to execute arbitrary code via a specially-crafted HTTP request. (CVE-2010-1622) This update removes the JBoss Web Framework Kit 1.0.0 packages. JBoss Web Framework Kit 1.0.0 RPMs and updates will no longer be available from the Red Hat Network. Registered users wishing to continue to use the JBoss Web Framework Kit are advised to download the latest version, 1.1.0, from the Red Hat Customer Portal: https://access.redhat.com/jbossnetwork/ Future updates for JBoss Web Framework Kit will be made available only through the Red Hat Customer Portal. Note that JBoss Web Framework Kit 1.1.0 from the Customer Portal does not include the Spring framework, and is therefore not affected by the CVE-2010-1622 issue.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2010-1622

7.5 ()


                        
                          AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch	—	Vendor Fix fix
Unresolved product id: 4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src	—	Vendor Fix fix
Unresolved product id: 4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch	—	Vendor Fix fix
Unresolved product id: 4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src	—	Vendor Fix fix

Known not affected 2 products

Product	Identifier	Version	Remediation
Unresolved product id: 5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch		—
Unresolved product id: 5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src		—

Threats

Impact Important

References

10 references

URL	Category
https://access.redhat.com/errata/RHSA-2011:0175	self
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/jbossnetwork/	external
http://docs.redhat.com/docs/en-US/JBoss_Web_Frame…	external
https://bugzilla.redhat.com/show_bug.cgi?id=606706	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2010-1622	self
https://bugzilla.redhat.com/show_bug.cgi?id=606706	external
https://www.cve.org/CVERecord?id=CVE-2010-1622	external
https://nvd.nist.gov/vuln/detail/CVE-2010-1622	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "JBoss Web Framework Kit 1.0.0 contains a security flaw and should no\nlonger be used. This update removes the JBoss Web Framework Kit 1.0.0\npackages.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The JBoss Web Framework Kit combines popular open source web frameworks\ninto a single solution for Java applications.\n\nThe spring2 packages shipped as part of JBoss Web Framework Kit 1.0.0 are\nvulnerable to a security flaw that could allow a remote attacker to\nexecute arbitrary code via a specially-crafted HTTP request.\n(CVE-2010-1622)\n\nThis update removes the JBoss Web Framework Kit 1.0.0 packages. JBoss Web\nFramework Kit 1.0.0 RPMs and updates will no longer be available from the\nRed Hat Network.\n\nRegistered users wishing to continue to use the JBoss Web Framework Kit are\nadvised to download the latest version, 1.1.0, from the Red Hat Customer\nPortal:\n\nhttps://access.redhat.com/jbossnetwork/\n\nFuture updates for JBoss Web Framework Kit will be made available only\nthrough the Red Hat Customer Portal. Note that JBoss Web Framework Kit\n1.1.0 from the Customer Portal does not include the Spring framework, and\nis therefore not affected by the CVE-2010-1622 issue.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2011:0175",
        "url": "https://access.redhat.com/errata/RHSA-2011:0175"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/",
        "url": "https://access.redhat.com/jbossnetwork/"
      },
      {
        "category": "external",
        "summary": "http://docs.redhat.com/docs/en-US/JBoss_Web_Framework_Kit/1.1/html/Release_Notes_1.1.0/Installation_Notes.html",
        "url": "http://docs.redhat.com/docs/en-US/JBoss_Web_Framework_Kit/1.1/html/Release_Notes_1.1.0/Installation_Notes.html"
      },
      {
        "category": "external",
        "summary": "606706",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=606706"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2011/rhsa-2011_0175.json"
      }
    ],
    "title": "Red Hat Security Advisory: JBoss Web Framework Kit 1.0.0 removal",
    "tracking": {
      "current_release_date": "2025-11-21T17:37:27+00:00",
      "generator": {
        "date": "2025-11-21T17:37:27+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2011:0175",
      "initial_release_date": "2011-01-25T15:30:00+00:00",
      "revision_history": [
        {
          "date": "2011-01-25T15:30:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2011-01-25T10:34:20+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:37:27+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 AS",
                "product": {
                  "name": "Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 AS",
                  "product_id": "4AS-JBWFK-5.0.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_web_framework_kit:1::el4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 ES",
                "product": {
                  "name": "Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 ES",
                  "product_id": "4ES-JBWFK-5.0.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_web_framework_kit:1::el4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Framework Kit 1.0.0 for RHEL 5 Server",
                "product": {
                  "name": "Red Hat JBoss Web Framework Kit 1.0.0 for RHEL 5 Server",
                  "product_id": "5Server-JBWFK-1.0.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_web_framework_kit:1::el5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Web Framework Kit"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
                "product": {
                  "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
                  "product_id": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-wfk-1.0.0-uninstall@1.0.0-3.ep5.el4?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src",
                "product": {
                  "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src",
                  "product_id": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-wfk-1.0.0-uninstall@1.0.0-3.ep5.el5?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
                "product": {
                  "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
                  "product_id": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-wfk-1.0.0-uninstall@1.0.0-3.ep5.el4?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
                "product": {
                  "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
                  "product_id": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-wfk-1.0.0-uninstall@1.0.0-3.ep5.el5?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch as a component of Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 AS",
          "product_id": "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
        "relates_to_product_reference": "4AS-JBWFK-5.0.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src as a component of Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 AS",
          "product_id": "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
        "relates_to_product_reference": "4AS-JBWFK-5.0.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch as a component of Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 ES",
          "product_id": "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
        "relates_to_product_reference": "4ES-JBWFK-5.0.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src as a component of Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 ES",
          "product_id": "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
        "relates_to_product_reference": "4ES-JBWFK-5.0.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch as a component of Red Hat JBoss Web Framework Kit 1.0.0 for RHEL 5 Server",
          "product_id": "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
        "relates_to_product_reference": "5Server-JBWFK-1.0.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src as a component of Red Hat JBoss Web Framework Kit 1.0.0 for RHEL 5 Server",
          "product_id": "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src",
        "relates_to_product_reference": "5Server-JBWFK-1.0.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2010-1622",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "discovery_date": "2010-06-21T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
            "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "606706"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "3.0.3): Arbitrary Java code execution via an HTTP request containing a specially-crafted .jar file",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue did not affect the versions of the SpringSource Spring Framework, as shipped with JBoss Enterprise Application Platform v4.2.0, v4.3.0, or v.5.0.0.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
          "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
          "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
          "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src"
        ],
        "known_not_affected": [
          "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
          "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2010-1622"
        },
        {
          "category": "external",
          "summary": "RHBZ#606706",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=606706"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2010-1622",
          "url": "https://www.cve.org/CVERecord?id=CVE-2010-1622"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2010-1622",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1622"
        }
      ],
      "release_date": "2010-06-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2011-01-25T15:30:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
          "product_ids": [
            "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
            "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
            "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
            "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2011:0175"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
            "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
            "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
            "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
            "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
            "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "3.0.3): Arbitrary Java code execution via an HTTP request containing a specially-crafted .jar file"
    }
  ]
}

RHSA-2011_0175

Vulnerability from csaf_redhat - Published: 2011-01-25 15:30 - Updated: 2024-11-22 03:36

Summary

Red Hat Security Advisory: JBoss Web Framework Kit 1.0.0 removal

Severity

Moderate

Notes

CVE-2010-1622

7.5 ()


                        
                          AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: 4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch	—	Vendor Fix fix
Unresolved product id: 4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src	—	Vendor Fix fix
Unresolved product id: 4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch	—	Vendor Fix fix
Unresolved product id: 4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src	—	Vendor Fix fix

Known not affected 2 products

Product	Identifier	Version	Remediation
Unresolved product id: 5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch		—
Unresolved product id: 5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src		—

Threats

Impact Important

References

10 references

URL	Category
https://access.redhat.com/errata/RHSA-2011:0175	self
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/jbossnetwork/	external
http://docs.redhat.com/docs/en-US/JBoss_Web_Frame…	external
https://bugzilla.redhat.com/show_bug.cgi?id=606706	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2010-1622	self
https://bugzilla.redhat.com/show_bug.cgi?id=606706	external
https://www.cve.org/CVERecord?id=CVE-2010-1622	external
https://nvd.nist.gov/vuln/detail/CVE-2010-1622	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "JBoss Web Framework Kit 1.0.0 contains a security flaw and should no\nlonger be used. This update removes the JBoss Web Framework Kit 1.0.0\npackages.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The JBoss Web Framework Kit combines popular open source web frameworks\ninto a single solution for Java applications.\n\nThe spring2 packages shipped as part of JBoss Web Framework Kit 1.0.0 are\nvulnerable to a security flaw that could allow a remote attacker to\nexecute arbitrary code via a specially-crafted HTTP request.\n(CVE-2010-1622)\n\nThis update removes the JBoss Web Framework Kit 1.0.0 packages. JBoss Web\nFramework Kit 1.0.0 RPMs and updates will no longer be available from the\nRed Hat Network.\n\nRegistered users wishing to continue to use the JBoss Web Framework Kit are\nadvised to download the latest version, 1.1.0, from the Red Hat Customer\nPortal:\n\nhttps://access.redhat.com/jbossnetwork/\n\nFuture updates for JBoss Web Framework Kit will be made available only\nthrough the Red Hat Customer Portal. Note that JBoss Web Framework Kit\n1.1.0 from the Customer Portal does not include the Spring framework, and\nis therefore not affected by the CVE-2010-1622 issue.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2011:0175",
        "url": "https://access.redhat.com/errata/RHSA-2011:0175"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/",
        "url": "https://access.redhat.com/jbossnetwork/"
      },
      {
        "category": "external",
        "summary": "http://docs.redhat.com/docs/en-US/JBoss_Web_Framework_Kit/1.1/html/Release_Notes_1.1.0/Installation_Notes.html",
        "url": "http://docs.redhat.com/docs/en-US/JBoss_Web_Framework_Kit/1.1/html/Release_Notes_1.1.0/Installation_Notes.html"
      },
      {
        "category": "external",
        "summary": "606706",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=606706"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2011/rhsa-2011_0175.json"
      }
    ],
    "title": "Red Hat Security Advisory: JBoss Web Framework Kit 1.0.0 removal",
    "tracking": {
      "current_release_date": "2024-11-22T03:36:50+00:00",
      "generator": {
        "date": "2024-11-22T03:36:50+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2011:0175",
      "initial_release_date": "2011-01-25T15:30:00+00:00",
      "revision_history": [
        {
          "date": "2011-01-25T15:30:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2011-01-25T10:34:20+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T03:36:50+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 AS",
                "product": {
                  "name": "Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 AS",
                  "product_id": "4AS-JBWFK-5.0.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_web_framework_kit:1::el4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 ES",
                "product": {
                  "name": "Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 ES",
                  "product_id": "4ES-JBWFK-5.0.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_web_framework_kit:1::el4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Framework Kit 1.0.0 for RHEL 5 Server",
                "product": {
                  "name": "Red Hat JBoss Web Framework Kit 1.0.0 for RHEL 5 Server",
                  "product_id": "5Server-JBWFK-1.0.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_web_framework_kit:1::el5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Web Framework Kit"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
                "product": {
                  "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
                  "product_id": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-wfk-1.0.0-uninstall@1.0.0-3.ep5.el4?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src",
                "product": {
                  "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src",
                  "product_id": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-wfk-1.0.0-uninstall@1.0.0-3.ep5.el5?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
                "product": {
                  "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
                  "product_id": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-wfk-1.0.0-uninstall@1.0.0-3.ep5.el4?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
                "product": {
                  "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
                  "product_id": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jboss-wfk-1.0.0-uninstall@1.0.0-3.ep5.el5?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch as a component of Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 AS",
          "product_id": "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
        "relates_to_product_reference": "4AS-JBWFK-5.0.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src as a component of Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 AS",
          "product_id": "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
        "relates_to_product_reference": "4AS-JBWFK-5.0.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch as a component of Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 ES",
          "product_id": "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
        "relates_to_product_reference": "4ES-JBWFK-5.0.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src as a component of Red Hat JBoss Web Framework Kit 5.0.0 for RHEL 4 ES",
          "product_id": "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
        "relates_to_product_reference": "4ES-JBWFK-5.0.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch as a component of Red Hat JBoss Web Framework Kit 1.0.0 for RHEL 5 Server",
          "product_id": "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
        "relates_to_product_reference": "5Server-JBWFK-1.0.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src as a component of Red Hat JBoss Web Framework Kit 1.0.0 for RHEL 5 Server",
          "product_id": "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src"
        },
        "product_reference": "jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src",
        "relates_to_product_reference": "5Server-JBWFK-1.0.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2010-1622",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "discovery_date": "2010-06-21T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
            "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "606706"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "3.0.3): Arbitrary Java code execution via an HTTP request containing a specially-crafted .jar file",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue did not affect the versions of the SpringSource Spring Framework, as shipped with JBoss Enterprise Application Platform v4.2.0, v4.3.0, or v.5.0.0.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
          "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
          "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
          "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src"
        ],
        "known_not_affected": [
          "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.noarch",
          "5Server-JBWFK-1.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el5.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2010-1622"
        },
        {
          "category": "external",
          "summary": "RHBZ#606706",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=606706"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2010-1622",
          "url": "https://www.cve.org/CVERecord?id=CVE-2010-1622"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2010-1622",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-1622"
        }
      ],
      "release_date": "2010-06-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2011-01-25T15:30:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
          "product_ids": [
            "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
            "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
            "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
            "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2011:0175"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
            "4AS-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src",
            "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.noarch",
            "4ES-JBWFK-5.0.0:jboss-wfk-1.0.0-uninstall-0:1.0.0-3.ep5.el4.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "3.0.3): Arbitrary Java code execution via an HTTP request containing a specially-crafted .jar file"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2010-1622 (GCVE-0-2010-1622)

Description

Solution

Description

Solution

Tags

Sightings

Nomenclature