PT-2018-12653 · Red Hat · Red Hat Jboss Richfaces Framework

Joao Filho Matos Figueiredo

+1

·

Publicado

2018-11-06

·

Atualizado

2025-11-03

·

CVE-2018-14667

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions RichFaces Framework versions 3.X through 3.3.4
Description The RichFaces Framework is susceptible to Expression Language (EL) injection through the UserResource resource. A remote, unauthenticated attacker can potentially execute arbitrary code by exploiting a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData. This issue is currently being exploited in attacks, as indicated by CISA advisories.
Recommendations Versions prior to 3.4 are affected.

Exploit

Correção

Code Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-94

Identificadores relacionados

CVE-2018-14667
GHSA-J7MW-7CRR-658V
RHSA-2018:3517

Produtos afetados

Red Hat Jboss Richfaces Framework