{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright © Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for the seam-remoting component of Red Hat JBoss Web Framework\nKit 2.4.0 that fixes two security issues is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Web Framework Kit combines popular open source web frameworks\ninto a single solution for Java applications. The JBoss Seam Remoting\ncomponent provides a convenient method of remotely accessing Seam\ncomponents from a web page, using AJAX (Asynchronous Javascript and XML).\n\nIt was found that the ExecutionHandler, PollHandler, and\nSubscriptionHandler classes in JBoss Seam Remoting unmarshalled\nuser-supplied XML and resolved external entities in this XML. A remote\nattacker could use this flaw to read files accessible to the user running\nthe application server, and potentially perform other more advanced XML\nExternal Entity (XXE) attacks. (CVE-2013-6447)\n\nIt was found that the InterfaceGenerator handler in JBoss Seam Remoting\nexposed details of all classes and methods on the server's classpath, not\nonly methods with the org.jboss.seam.annotations.remoting.WebRemote\nannotation. A remote attacker could use this flaw to determine which\nclasses are deployed on the JBoss server. (CVE-2013-6448)\n\nRed Hat would like to thank Jon Passki of Coverity SRL for reporting these\nissues.\n\nAll users of Red Hat JBoss Web Framework Kit 2.4.0 as provided from the Red\nHat Customer Portal are advised to apply this update.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0045",
        "url": "https://access.redhat.com/errata/RHSA-2014:0045"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=securityPatches&version=2.4.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=securityPatches&version=2.4.0"
      },
      {
        "category": "external",
        "summary": "1044784",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"
      },
      {
        "category": "external",
        "summary": "1044794",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0045.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Web Framework Kit 2.4.0 update",
    "tracking": {
      "current_release_date": "2026-01-28T22:58:08+00:00",
      "generator": {
        "date": "2026-01-28T22:58:08+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.16"
        }
      },
      "id": "RHSA-2014:0045",
      "initial_release_date": "2014-01-20T17:30:41+00:00",
      "revision_history": [
        {
          "date": "2014-01-20T17:30:41+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-01-16T09:52:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-01-28T22:58:08+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Framework Kit 2.4",
                "product": {
                  "name": "Red Hat JBoss Web Framework Kit 2.4",
                  "product_id": "Red Hat JBoss Web Framework Kit 2.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.4.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Web Framework Kit"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Jon Passki"
          ],
          "organization": "Coverity SRL"
        }
      ],
      "cve": "CVE-2013-6447",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2013-12-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1044784"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Multiple XML External Entity (XXE) vulnerabilities in the (1) ExecutionHandler, (2) PollHandler, and (3) SubscriptionHandler classes in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allow remote attackers to read arbitrary files and possibly have other impacts via a crafted XML file.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Seam: XML eXternal Entity (XXE) flaw in remoting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects Seam 3 remoting, but Seam 3 is not shipped with any Red Hat products, and Seam 3 development has been terminated. This issue is not currently planned to be addressed in a future update to Seam 3.\n\nRed Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Web Framework Kit 2.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-6447"
        },
        {
          "category": "external",
          "summary": "RHBZ#1044784",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044784"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-6447",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-6447"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6447",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6447"
        }
      ],
      "release_date": "2014-01-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-01-20T17:30:41+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Web Framework Kit.\n\nThe JBoss server process must be restarted for this update to take effect.",
          "product_ids": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0045"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Seam: XML eXternal Entity (XXE) flaw in remoting"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Jon Passki"
          ],
          "organization": "Coverity SRL"
        }
      ],
      "cve": "CVE-2013-6448",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2013-12-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1044794"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server classpath via unspecified vectors.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Seam: Information disclosure in remoting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Web Framework Kit 2.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-6448"
        },
        {
          "category": "external",
          "summary": "RHBZ#1044794",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044794"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-6448",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-6448"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6448",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6448"
        }
      ],
      "release_date": "2014-01-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-01-20T17:30:41+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting installation of Red Hat JBoss Web Framework Kit.\n\nThe JBoss server process must be restarted for this update to take effect.",
          "product_ids": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0045"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Web Framework Kit 2.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "Seam: Information disclosure in remoting"
    }
  ]
}