Описание
JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.
It was found that the 'do' parameter permitted expression language (EL) injection, which could allow a remote attacker to execute Java methods on an affected server.
Отчет
This issue did not affect any version of Red Hat JBoss Enterprise Application Platform 5 as they did not include the vulnerable version of the RichFaces component. JBoss EAP 5.x includes versions 3.3.1.x of RichFaces; this vulnerability was introduced in version 4.x of RichFaces.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Data Grid 6 | wildfly | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | richfaces | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | wildfly | Not affected | ||
| Red Hat JBoss Operations Network 3 | wildfly | Affected | ||
| Red Hat JBoss Portal 5 | richfaces | Affected | ||
| Red Hat JBoss Portal 6 | richfaces | Affected | ||
| Red Hat JBoss SOA Platform 5 | widlfly | Affected | ||
| Red Hat JBoss Web Framework Kit 2.7 | Fixed | RHSA-2015:0719 | 24.03.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS2
Связанные уязвимости
JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.
JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.
EPSS
6.8 Medium
CVSS2