CVE-2007-6433 - OpenCVE

The getRenderedEjbql method in the org.jboss.seam.framework.Query class in JBoss Seam 2.x before 2.0.0.CR3 allows remote attackers to inject and execute arbitrary EJBQL commands via the order parameter.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jboss	Seam
Redhat	Jboss Enterprise Application Platform Rhel Application Stack

Configuration 1 [-]

cpe:2.3:a:jboss:seam:*:cr2:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
JBEAP 4.2.0 for RHEL 4
glassfish-javamail-0:1.4.0-0jpp.ep1.8	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
hibernate3-1:3.2.4-1.SP1_CP02.0jpp.ep1.1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
hibernate3-annotations-0:3.2.1-1.patch02.1jpp.ep1.2.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
hibernate3-entitymanager-0:3.2.1-1jpp.ep1.6.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
hsqldb-1:1.8.0.8-2.patch01.1jpp.ep1.1	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
jacorb-0:2.3.0-1jpp.ep1.4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
jboss-aop-0:1.5.5-1.CP01.0jpp.ep1.1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
jbossas-0:4.2.0-3.GA_CP02.ep1.3.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
jboss-cache-0:1.4.1-4.SP8_CP01.1jpp.ep1.1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
jboss-remoting-0:2.2.2-3.SP4.0jpp.ep1.1	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
jboss-seam-0:1.2.1-1.ep1.3.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
jbossweb-0:2.0.0-3.CP05.0jpp.ep1.1	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
jbossws-jboss42-0:1.2.1-0jpp.ep1.2.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
jcommon-0:1.0.12-1jpp.ep1.2.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
jfreechart-0:1.0.9-1jpp.ep1.2.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
jgroups-1:2.4.1-1.SP4.0jpp.ep1.2	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
rh-eap-docs-0:4.2.0-3.GA_CP02.ep1.1.el4	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el4	RHSA-2008:0151	2008-04-02T00:00:00Z
JBEAP 4.2.0 for RHEL 5
hibernate3-0:3.2.4-1.SP1_CP02.0jpp.ep1.1.el5.1	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
hibernate3-annotations-0:3.2.1-1.patch02.1jpp.ep1.2.el5.1	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
jacorb-0:2.3.0-1jpp.ep1.5.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
jboss-aop-0:1.5.5-1.CP01.0jpp.ep1.1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
jbossas-0:4.2.0-4.GA_CP02.ep1.3.el5.3	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
jboss-cache-0:1.4.1-4.SP8_CP01.1jpp.ep1.1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
jboss-remoting-0:2.2.2-3.SP4.0jpp.ep1.1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
jboss-seam-0:1.2.1-1.ep1.3.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
jbossweb-0:2.0.0-3.CP05.0jpp.ep1.1.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
jcommon-0:1.0.12-1jpp.ep1.2.el5	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
jfreechart-0:1.0.9-1jpp.ep1.2.el5.1	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
rh-eap-docs-0:4.2.0-3.GA_CP02.ep1.1.el5.1	cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0::el5	RHSA-2008:0213	2008-04-02T00:00:00Z
Red Hat Web Application Stack for RHEL 4
concurrent-0:1.3.4-7jpp.ep1.6.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
glassfish-jaf-0:1.1.0-0jpp.ep1.10.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
glassfish-javamail-0:1.4.0-0jpp.ep1.8	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
glassfish-jsf-0:1.2_04-1.p02.0jpp.ep1.18	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
glassfish-jstl-0:1.2.0-0jpp.ep1.2	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
hibernate3-1:3.2.4-1.SP1_CP02.0jpp.ep1.1.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
hibernate3-annotations-0:3.2.1-1.patch02.1jpp.ep1.2.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
hibernate3-entitymanager-0:3.2.1-1jpp.ep1.6.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
hsqldb-1:1.8.0.8-2.patch01.1jpp.ep1.1	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jacorb-0:2.3.0-1jpp.ep1.4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jboss-aop-0:1.5.5-1.CP01.0jpp.ep1.1.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jbossas-0:4.2.0-3.GA_CP02.ep1.3.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jboss-cache-0:1.4.1-4.SP8_CP01.1jpp.ep1.1.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jboss-common-0:1.2.1-0jpp.ep1.2	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jboss-remoting-0:2.2.2-3.SP4.0jpp.ep1.1	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jboss-seam-0:1.2.1-1.ep1.3.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jbossweb-0:2.0.0-3.CP05.0jpp.ep1.1	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jbossws-wsconsume-impl-0:2.0.0-0jpp.ep1.3	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jbossxb-0:1.0.0-2.SP1.0jpp.ep1.2.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jcommon-0:1.0.12-1jpp.ep1.2.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jfreechart-0:1.0.9-1jpp.ep1.2.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
jgroups-1:2.4.1-1.SP4.0jpp.ep1.2	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
rh-eap-docs-0:4.2.0-3.GA_CP02.ep1.1.el4	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z
wsdl4j-0:1.6.2-1jpp.ep1.8	cpe:/a:redhat:rhel_application_stack:1	RHSA-2008:0158	2008-03-24T00:00:00Z

References

Link	Providers
http://jira.jboss.com/jira/browse/JBSEAM-2084
http://osvdb.org/42631
http://secunia.com/advisories/28077
http://sourceforge.net/project/shownotes.php?release_id=549490&group_id=22866
http://www.redhat.com/support/errata/RHSA-2008-0151.html
http://www.redhat.com/support/errata/RHSA-2008-0158.html
http://www.redhat.com/support/errata/RHSA-2008-0213.html
http://www.securityfocus.com/bid/26850
http://www.vupen.com/english/advisories/2007/4215
https://nvd.nist.gov/vuln/detail/CVE-2007-6433
https://www.cve.org/CVERecord?id=CVE-2007-6433

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-12-18T20:00:00

Updated: 2024-08-07T16:02:36.381Z

Reserved: 2007-12-18T00:00:00

Link: CVE-2007-6433

Vulnrichment

No data.

NVD

Status : Modified

Published: 2007-12-18T20:46:00.000

Modified: 2011-03-08T03:02:43.033

Link: CVE-2007-6433

Redhat

Severity : Moderate

Publid Date: 2007-12-19T00:00:00Z

Links: CVE-2007-6433 - Bugzilla

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object