Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1622 to the following vulnerability: SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1622 [2] http://www.securityfocus.com/archive/1/511877 [3] http://www.exploit-db.com/exploits/13918 [4] http://www.springsource.com/security/cve-2010-1622 [5] http://www.securityfocus.com/bid/40954 Credit: The issue was discovered by Meder Kydyraliev, Google Security Team
This issue did NOT affect the versions of the SpringSource Spring Framework, as shipped with JBoss Enterprise Application Platform v4.2.0, v4.3.0, and v.5.0.0.
Statement: This issue did not affect the versions of the SpringSource Spring Framework, as shipped with JBoss Enterprise Application Platform v4.2.0, v4.3.0, or v.5.0.0.
This issue has been addressed in following products: JBWFK 1.0.0 for RHEL 4 JBWFK 1.0.0 for RHEL 5 Via RHSA-2011:0175 https://rhn.redhat.com/errata/RHSA-2011-0175.html