Описание
JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.
Отчет
This issue does not affect the following Red Hat products, as they do not include the vulnerable version of the RichFaces component: Red Hat JBoss EAP 5.2 Red Hat JBoss Data Virtualization 6.4 Red Hat JBoss BRMS 5.3 Red Hat JBoss Operations Network 3.3
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| JBoss Developer Studio 11 | RichFaces | Not affected | ||
| Red Hat JBoss BRMS 5 | RichFaces | Not affected | ||
| Red Hat JBoss Data Virtualization 6 | RichFaces | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | RichFaces | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | RichFaces | Not affected | ||
| Red Hat JBoss Operations Network 3 | RichFaces | Not affected | ||
| Red Hat JBoss SOA Platform 5 | RichFaces | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.
RichFaces vulnerable to Expression Language Injection
EPSS
9.8 Critical
CVSS3