CVE-2018-12532

Опубликовано: 18 июн. 2018

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.

Ссылки

http://seclists.org/fulldisclosure/2020/Mar/21
http://www.securityfocus.com/bid/104503
Third Party Advisory
VDB Entry
https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html
Exploit
Third Party Advisory
http://seclists.org/fulldisclosure/2020/Mar/21
http://www.securityfocus.com/bid/104503
Third Party Advisory
VDB Entry
https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:redhat:richfaces:*:*:*:*:*:*:*:*

Версия от 4.5.3 (включая) до 4.5.17 (включая)

EPSS

Процентиль: 87%

0.03296

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-917

Связанные уязвимости

CVE-2018-12532

CVSS3: 9.8

redhat

больше 7 лет назад

GHSA-3hx6-fqpj-xfjr

CVSS3: 9.8

github

больше 3 лет назад

RichFaces vulnerable to Expression Language Injection

EPSS

Процентиль: 87%

0.03296

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-917