Описание
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| JBoss Developer Studio 11 | RichFaces | Out of support scope | ||
| Red Hat JBoss Operations Network 3 | RichFaces | Not affected | ||
| JBoss Enterprise BRMS Platform 5.3 | RichFaces | Fixed | RHSA-2018:3581 | 13.11.2018 |
| Red Hat JBoss EAP 5 | RichFaces | Fixed | RHSA-2018:3518 | 06.11.2018 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 | richfaces | Fixed | RHSA-2018:3517 | 06.11.2018 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 | richfaces | Fixed | RHSA-2018:3517 | 06.11.2018 |
| Red Hat JBoss SOA Platform 5.3 | RichFaces | Fixed | RHSA-2018:3519 | 07.11.2018 |
Показывать по
10
Дополнительная информация
Статус:
Critical
Дефект:
CWE-94
https://bugzilla.redhat.com/show_bug.cgi?id=1639139RichFaces: Expression Language injection via UserResource allows for unauthenticated remote code execution
EPSS
Процентиль: 100%
0.89374
Высокий
9.8 Critical
CVSS3
Связанные уязвимости
CVSS3: 9.8
nvd
больше 7 лет назад
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
CVSS3: 9.8
github
больше 3 лет назад
Richfaces vulnerable to arbitrary code execution
EPSS
Процентиль: 100%
0.89374
Высокий
9.8 Critical
CVSS3