{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-20T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allow remote attackers to read arbitrary files and possibly have other impacts via a crafted XML file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-01-22T23:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "1029652", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1029652"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5"}, {"name": "56572", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/56572"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"}, {"name": "RHSA-2014:0045", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0045.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T17:39:01.202Z"}, "title": "CVE Program Container", "references": [{"name": "1029652", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1029652"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5"}, {"name": "56572", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/56572"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"}, {"name": "RHSA-2014:0045", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0045.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-6447", "datePublished": "2014-01-23T00:00:00", "dateReserved": "2013-11-04T00:00:00", "dateUpdated": "2024-08-06T17:39:01.202Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "D364080C-85B8-46A0-B5C7-1590DAF98320", "versionEndIncluding": "2.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "4664C66E-3F4B-471E-AAC9-276834A55499", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr1:*:*:*:*:*:*", "matchCriteriaId": "43CACD28-B9A3-46D5-BA99-AA578F51D693", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr2:*:*:*:*:*:*", "matchCriteriaId": "1A4951C4-8941-4A7F-B742-B50A812CC4B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr3:*:*:*:*:*:*", "matchCriteriaId": "1A83D0E2-C724-47D1-9A98-7ACADA8810DA", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:ga:*:*:*:*:*:*", "matchCriteriaId": "56B7E191-8A62-4BDE-90A4-192BA5696A39", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr1:*:*:*:*:*:*", "matchCriteriaId": "4A027797-81BC-4826-BBCC-C5EAEAB3E503", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr2:*:*:*:*:*:*", "matchCriteriaId": "67F9B8C2-D2BE-4B4A-829C-528EC716C3FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:ga:*:*:*:*:*:*", "matchCriteriaId": "D38126DF-747B-4892-9B63-E7E35F98C760", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr1:*:*:*:*:*:*", "matchCriteriaId": "ECD78557-9403-496D-8512-FA693E291164", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr2:*:*:*:*:*:*", "matchCriteriaId": "CB076878-0465-44C7-AE59-C9584B3CEE1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:ga:*:*:*:*:*:*", "matchCriteriaId": "F682D85A-5B8C-4F83-BABD-9D28775C3776", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:sp1:*:*:*:*:*:*", "matchCriteriaId": "43DA16B0-8E35-444D-B0BC-6774BBEC9E49", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.3:cr1:*:*:*:*:*:*", "matchCriteriaId": "D249483C-D9F2-474F-9DDD-775CA573A642", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "C5BD9104-7BE9-420F-8DB2-C07748941254", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "A6513765-FEB9-4D7E-AE29-E479707AED02", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:cr1:*:*:*:*:*:*", "matchCriteriaId": "42291710-D8D1-4C77-8A62-E0B80BA3D5AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:ga:*:*:*:*:*:*", "matchCriteriaId": "0BBFD756-FF7B-4163-9924-CC922A7EA1AF", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "226579DC-5DFE-4778-9871-4137B556D3A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr1:*:*:*:*:*:*", "matchCriteriaId": "CB03E6D7-1A07-49EB-AB21-E136132BDF1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr2:*:*:*:*:*:*", "matchCriteriaId": "68FE6392-8774-4534-8903-BE9154FE2795", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:ga:*:*:*:*:*:*", "matchCriteriaId": "9F98F783-0AB2-41BE-8B07-D62438824541", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "7A206D39-DBF9-4B14-8703-9081682A1EEE", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr1:*:*:*:*:*:*", "matchCriteriaId": "32B2FE67-27F7-4BF7-A78A-0A5FAAADFE20", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr2:*:*:*:*:*:*", "matchCriteriaId": "1371416C-30C8-47A6-8A0C-F4E37875BE8F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:cr1:*:*:*:*:*:*", "matchCriteriaId": "CA790538-865A-4249-B6F9-F0CEC5818E57", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:ga:*:*:*:*:*:*", "matchCriteriaId": "62AB605C-3102-4425-A563-817445B2F187", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "0E6F5051-BF57-44EA-942F-9E74A06D8B45", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr1:*:*:*:*:*:*", "matchCriteriaId": "0FD6DFE0-4FC8-4311-A724-666AA48A64C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr2:*:*:*:*:*:*", "matchCriteriaId": "EB833625-4D55-4BFE-A05C-5650D342C461", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr3:*:*:*:*:*:*", "matchCriteriaId": "CB5F7791-FC8F-4E6C-B14D-A31D69086895", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "A42F5033-9365-44D7-8B42-A6367456ED8F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "04C1DC31-7337-4C24-9DA0-A79D0D442D5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:alpha:*:*:*:*:*:*", "matchCriteriaId": "7376B2C4-542E-42CE-9970-749B78A30571", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "73C2733D-BA18-4E56-9E08-9F334C7DAAF5", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "AFFFDD3E-CBEC-461B-80D8-45EBD04CAE09", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:cr1:*:*:*:*:*:*", "matchCriteriaId": "A5608CA4-7E53-471E-BCD3-F8EA13839557", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.1:cr1:*:*:*:*:*:*", "matchCriteriaId": "24546C35-AAEF-40DE-889A-8AA50D25968C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allow remote attackers to read arbitrary files and possibly have other impacts via a crafted XML file."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XXE en las clases (1) ExecutionHandler, (2) PollHandler, y (3) SubscriptionHandler en JBoss Seam Remoting de JBoss Seam 2 framework 2.3.1 y anteriores versiones, tal como se usa en JBoss Web Framework Kit, permite a atancantes remotos leer archivos arbitrarios y posiblemente tener otros impactos a trav\u00e9s de un archivo XML manipulado."}], "id": "CVE-2013-6447", "lastModified": "2014-01-23T18:16:12.740", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-23T00:55:03.347", "references": [{"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2014-0045.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/56572"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1029652"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"}, {"source": "secalert@redhat.com", "url": "https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Jon Passki (Coverity SRL) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2014:0045", "cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.4.0", "package": "Seam", "product_name": "Red Hat JBoss Web Framework Kit 2.4", "release_date": "2014-01-20T00:00:00Z"}], "bugzilla": {"description": "Seam: XML eXternal Entity (XXE) flaw in remoting", "id": "1044784", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-611", "details": ["Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allow remote attackers to read arbitrary files and possibly have other impacts via a crafted XML file."], "name": "CVE-2013-6447", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Affected", "package_name": "seam", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "ewp-5", "product_name": "Red Hat JBoss Enterprise Web Server 1"}], "public_date": "2014-01-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-6447\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-6447"], "statement": "This issue affects Seam 3 remoting, but Seam 3 is not shipped with any Red Hat products, and Seam 3 development has been terminated. This issue is not currently planned to be addressed in a future update to Seam 3.\nRed Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/", "threat_severity": "Moderate"}