Vulnerability Description
JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Richfaces | >= 4.5.3, <= 4.5.17 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2020/Mar/21
- http://www.securityfocus.com/bid/104503Third Party AdvisoryVDB Entry
- https://codewhitesec.blogspot.com/2018/05/poor-richfaces.htmlExploitThird Party Advisory
- http://seclists.org/fulldisclosure/2020/Mar/21
- http://www.securityfocus.com/bid/104503Third Party AdvisoryVDB Entry
- https://codewhitesec.blogspot.com/2018/05/poor-richfaces.htmlExploitThird Party Advisory
FAQ
What is CVE-2018-12532?
CVE-2018-12532 is a vulnerability with a CVSS score of 9.8 (CRITICAL). JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's...
How severe is CVE-2018-12532?
CVE-2018-12532 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-12532?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Richfaces.