Vulnerability Description
ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Jboss Enterprise Application Platform | 4.3.0 |
| Redhat | Jboss Enterprise Brms Platform | 5.0.0 |
| Redhat | Jboss Enterprise Portal Platform | 4.3.0 |
| Redhat | Jboss Enterprise Soa Platform | 4.2.0 |
| Redhat | Jboss Enterprise Web Platform | 5.1.0 |
| Redhat | Jboss Operations Network | 1.0.0 |
| Redhat | Jboss Web Framework Kit | <= 2.2.0 |
| Redhat | Richfaces | 3.1.0 |
Related Weaknesses (CWE)
References
- http://jvn.jp/en/jp/JVN38787103/index.htmlThird Party AdvisoryVDB Entry
- http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072Third Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-To
- http://rhn.redhat.com/errata/RHSA-2013-1041.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1042.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1043.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1044.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1045.htmlVendor Advisory
- http://seclists.org/fulldisclosure/2020/Mar/21
- https://access.redhat.com/security/cve/CVE-2013-2165Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=973570Issue TrackingVendor Advisory
- http://jvn.jp/en/jp/JVN38787103/index.htmlThird Party AdvisoryVDB Entry
- http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072Third Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-To
- http://rhn.redhat.com/errata/RHSA-2013-1041.htmlVendor Advisory
FAQ
What is CVE-2013-2165?
CVE-2013-2165 is a vulnerability with a CVSS score of 7.5 (HIGH). ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application...
How severe is CVE-2013-2165?
CVE-2013-2165 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-2165?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Brms Platform, Redhat Jboss Enterprise Portal Platform, Redhat Jboss Enterprise Soa Platform, Redhat Jboss Enterprise Web Platform.