CVE-2013-6447 : Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHan

Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allow remote attackers to read arbitrary files and possibly have other impacts via a crafted XML file.

Published 2014-01-23 00:55:03

Updated 2014-01-23 18:16:13

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injectionInformation leak

Exploit prediction scoring system (EPSS) score for CVE-2013-6447

Probability of exploitation activity in the next 30 days: 25.95%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 96 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-6447

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2013-6447

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-6447

https://bugzilla.redhat.com/show_bug.cgi?id=1044784

1044784 – (CVE-2013-6447) CVE-2013-6447 JBoss Seam: XML eXternal Entity (XXE) flaw in remoting
Patch;Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2014-0045.html

Red Hat Customer Portal

CVEs referencing this url
https://github.com/seam2/jboss-seam/commit/090aa6252affc978a96c388e3fc2c1c2688d9bb5

https://issues.jboss.org/browse/WFK2-375 enhanced fix · seam2/jboss-seam@090aa62 · GitHub

CVEs referencing this url
http://www.securitytracker.com/id/1029652

JBoss Web Framework Kit Lets Remote Users Obtain Potentially Sensitive Information - SecurityTracker

CVEs referencing this url

Products affected by CVE-2013-6447

Redhat » Jboss Seam 2 Framework
Versions up to, including, (<=) 2.3.1
cpe:2.3:a:redhat:jboss_seam_2_framework:*:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.2.1 Update CR2
cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr2:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.1.2
cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.0 Update CR2
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr2:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.0 Update CR3
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr3:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.2 Update CR2
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr2:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.2 Update GA
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:ga:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.2 Update SP1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:sp1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.1.1 Update CR2
cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr2:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.1.1 Update GA
cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:ga:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.2.1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.2.0 Update GA
cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:ga:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.0 Update CR1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:cr1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.1.0 Update Alpha1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:alpha1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.2 Update CR1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.2:cr1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.1.0 Update SP1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:sp1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.1.1 Update CR1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.1:cr1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.0 Update Beta1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:beta1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.2.1 Update CR3
cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr3:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.1 Update CR2
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr2:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.1 Update GA
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:ga:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.1.0 Update CR1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:cr1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.1.0 Update GA
cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:ga:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.2.1 Update CR1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.1:cr1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.2.0 Update CR1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.0:cr1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.1.2 Update CR1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.1.2 Update CR2
cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.2:cr2:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.0 Update GA
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.0:ga:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.1 Update CR1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.1:cr1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.0.3 Update CR1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.0.3:cr1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.1.0 Update Beta1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.1.0:beta1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.3.0 Update Beta1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.3.0 Update Alpha
cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:alpha:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.3.1 Update CR1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.1:cr1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.3.0 Update CR1
cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:cr1:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.2.2
cpe:2.3:a:redhat:jboss_seam_2_framework:2.2.2:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.3.0
cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Seam 2 Framework » Version: 2.3.0 Update Beta2
cpe:2.3:a:redhat:jboss_seam_2_framework:2.3.0:beta2:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-6447

Exploit prediction scoring system (EPSS) score for CVE-2013-6447

CVSS scores for CVE-2013-6447

CWE ids for CVE-2013-6447

References for CVE-2013-6447

Products affected by CVE-2013-6447