CVE-2015-0279

Name of the Vulnerable Software and Affected Versions JBoss RichFaces versions prior to 4.5.4 Tufin SecureChange (affected versions not specified)

Description The issue allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code. This can be achieved via the do parameter. There is a report of this issue being used for unauthenticated remote code execution (RCE).

Recommendations For JBoss RichFaces versions prior to 4.5.4, update to version 4.5.4 or later to resolve the issue. For Tufin SecureChange, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the do parameter to minimize the risk of exploitation.