RCE in Redhat Jboss_bpm_suite

CVE-2013-6468

JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.005 (65.1th percentile) — read the EPSS interpretation.

Affected products

Redhat Jboss_bpm_suite — versions 6.0.0
Redhat Jboss_drools
Redhat Jboss_enterprise_brms_platform — versions 6.0.0
N/a — versions n/a

Weakness classification (CWE)

CWE-94 — Code Injection

References

RHSA-2014:0371 (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)
57719 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
57716 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
RHSA-2014:0372 (x_refsource_REDHAT, vendor-advisory, Vendor Advisory)